opensearch-project · sbcd90 · Jan 11, 2023 · Jan 10, 2023
@@ -4,7 +4,7 @@ fieldmappings:
     requestParameters.arn: aws-cloudtrail-requestParameters-arn
     requestParameters.attribute: aws-cloudtrail-requestParameters-attribute
     requestParameters.userName: aws-cloudtrail-requestParameters-userName
-    requestParameters.containerDefinitions.command: aws-cloudtrail-requestParameters-container-definitions-command
-    userIdentity.sessionContext.sessionIssuer.type: aws-cloudtrail-userIdentity-sessionContext-session_issuer-type
+    requestParameters.containerDefinitions.command: aws-cloudtrail-requestParameters-containerDefinitions-command
+    userIdentity.sessionContext.sessionIssuer.type: userIdentity-sessionContext-sessionIssuer-type
     userIdentity.type: aws-cloudtrail-userIdentity-type
-    userIdentity.arn: aws-cloudtrail-userIdentity-type
+    userIdentity.arn: aws-cloudtrail-userIdentity-arn
@@ -47,6 +47,6 @@
     "process-real_user-id": {
       "path": "process.real_user.id",
       "type": "alias"
-    },
+    }
   }
 }
@@ -1,5 +1,5 @@
 title: Sign-in Failure Bad Password Threshold
-id: dff74231-dbed-42ab-ba49-83289be2ac3a
+id: dff74231-dbed-42ab-ba49-84289be2ac3a
 description: Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.
 author: Corissa Koopmans, '@corissalea'
 date: 2022/04/21

@@ -1,5 +1,5 @@
 title: Azure Active Directory Hybrid Health AD FS New Server
-id: 288a39fc-4914-4831-9ada-270e9dc12cb4
+id: 287a39fc-4914-4831-9ada-270e9dc12cb4
 description: |
   This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
   A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.

@@ -1,5 +1,5 @@
 title: Azure Active Directory Hybrid Health AD FS Service Delete
-id: 48739819-8230-4ee3-a8ea-e0289d1fb0ff
+id: 48739819-8230-4de3-a8ea-e0289d1fb0ff
 description: |
   This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
   A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.

@@ -1,5 +1,5 @@
 title: Bitlocker Key Retrieval
-id: a0413867-daf3-43dd-9245-734b3a787942
+id: a0413867-daf3-43dd-9255-734b3a787942
 description: Monitor and alert for Bitlocker key retrieval.
 author: Michael Epping, '@mepples21'
 date: 2022/06/28

@@ -1,5 +1,5 @@
 title: Device Registration or Join Without MFA
-id: 5afa454e-030c-4ab4-9253-a90aa7fcc581
+id: 5afa454e-030c-4ab4-9253-a90aa7fac581
 description: Monitor and alert for device registration or join events where MFA was not performed.
 author: Michael Epping, '@mepples21'
 date: 2022/06/28

@@ -1,5 +1,5 @@
 title: Changes to Device Registration Policy
-id: 9494bff8-959f-4440-bbce-fb87a208d517
+id: 9494bff8-959f-4440-abce-fb87a208d517
 description: Monitor and alert for changes to the device registration policy.
 author: Michael Epping, '@mepples21'
 date: 2022/06/28

@@ -1,5 +1,5 @@
 title: Sign-ins from Non-Compliant Devices
-id: 4f77e1d7-3982-4ee0-8489-abf2d6b75284
+id: 4f77e1d7-3972-4ee0-8489-abf2d6b75284
 description: Monitor and alert for sign-ins where the device was non-compliant.
 author: Michael Epping, '@mepples21'
 date: 2022/06/28

@@ -1,5 +1,5 @@
 title: Sign-ins by Unknown Devices
-id: 4d136857-6a1a-432a-82fc-5dd497ee5e7c
+id: 4d136857-6a1a-432a-82ec-5dd497ee5e7c
 description: Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.
 author: Michael Epping, '@mepples21'
 date: 2022/06/28

@@ -1,5 +1,5 @@
 title: User Added to an Administrator's Azure AD Role
-id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7
+id: ebbeb024-5b1d-4e16-9c1c-917f86c708a7
 description: User Added to an Administrator's Azure AD Role
 author: Raphaël CALVET, @MetallicHack
 date: 2021/10/04

@@ -1,5 +1,5 @@
 title: Users Added to Global or Device Admin Roles
-id: 11c767ae-500b-423b-bae3-b234450736ed
+id: 11c767ae-500b-423b-bae3-b244450736ed
 description: Monitor and alert for users added to device admin roles.
 author: Michael Epping, '@mepples21'
 date: 2022/06/28

@@ -1,5 +1,5 @@
 title: LDAP Reconnaissance / Active Directory Enumeration
-id: 31d68132-4038-47c7-8f8e-635a39a7c174
+id: 31d68132-4038-47c7-8f8d-635a39a7c174
 status: experimental
 description: Detects possible Active Directory enumeration via LDAP
 author: Adeem Mawani

@@ -1,5 +1,5 @@
 title: AWS S3 Data Management Tampering
-id: 78b3756a-7804-4ef7-8555-7b9024a02e2d
+id: 78b3756a-7804-4ef7-8555-7b9024a02d2d
 description: Detects when a user tampers with S3 data management in Amazon Web Services.
 author: Austin Songer @austinsonger
 status: experimental

@@ -16,9 +16,9 @@ logsource:
   service: system
 detection:
   selection:
-    EventID: 22
-    Message|contains: 'C:\\Program Files\\nxlog\\nxlog.exe'
-    HostName|startswith: 'EC2AMAZ'
+    EventId: 22
+    message|contains: 'C:\\Program Files\\nxlog\\nxlog.exe'
+    hostname|startswith: 'EC2AMAZ'
   condition: selection
 falsepositives:
   - Unknown