Skip to content

Instantly share code, notes, and snippets.

@spasam

spasam/sentinel-analytical-rules.csv

Created February 8, 2023 18:56
Show Gist options
  • Save spasam/e6e2702bbb3679988d15e8f8a3db9f01 to your computer and use it in GitHub Desktop.
Save spasam/e6e2702bbb3679988d15e8f8a3db9f01 to your computer and use it in GitHub Desktop.
Download ZIP
Microsoft Azure Sentinel - Analytical Rules
Raw
sentinel-analytical-rules.csv
Rule Red team bypass
Change To RDS Database Covers RDS, but where are the checks for Redshift, Elasticache, etc.?
Change To VPC Only checks for CreateNetworkAclEntry, CreateRoute, CreateRouteTable, CreateInternetGateway, CreateNatGateway API calls. There are many more APIs that can be used to make changes to a VPC: Peering, Transit Gateway, etc.
Clear Stop Change Trail Logs Checks for UpdateTrail, DeleteTrail, StopLogging, DeleteFlowLogs, DeleteEventBus. What about DeleteQueryLoggingConfig or DeleteLogGroup?
Created CRUD DynamoDB Policy to Privilege Escalation Can use wildcard in policy Actions to bypass
Created CRUD IAM to Privilege Escalation Can use wildcard in policy Actions to bypass
Created CRUD KMS Policy to Privilege Escalation Can use wildcard in policy Actions to bypass
Created CRUD S3 Policy to Privilege Escalation Can use wildcard in policy Actions to bypass
Created CRUD Lambda Policy to Privilege Escalation Can use wildcard in policy Actions to bypass
Created CloudFormation Policy to Privilege Escalation Can use wildcard in policy Actions to bypass
Created DataPipeline Policy to Privilege Escalation Can use wildcard in policy Actions to bypass
Created EC2 Policy to Privilege Escalation Can use wildcard in policy Actions to bypass
Created Glue Policy to Privilege Escalation Can use wildcard in policy Actions to bypass
Created Lambda Policy to Privilege Escalation Can use wildcard in policy Actions to bypass
Created SSM Policy to Privilege Escalation Can use wildcard in policy Actions to bypass
Creation Of Encrypt Keys Without MFA Can use wildcard in policy Actions to bypass
Credential Hijack Checks for GetCallerIdentity. There are numerous other APIs that can be used to get the caller identity details
Ingress/Egress SecurityGroup Change Like I mentioned for RDS Security Group check, there are many other security group operations that are missing
Log Tampering Isn’t this same as Clear Stop Change Trail Logs? Also missing DeleteQueryLoggingConfig
Network ACL Open To All Ports Checks for CreateNetworkAclEntry and ReplaceNetworkAclEntry. What about deleting an ACL entry using DeleteNetworkAclEntry? Especially ones that denies traffic on a port
Overly Permissive KMS Can use wildcard in policy Actions to bypass
Privilege Escalation Via CRUD IAM Policy Can use wildcard in policy Actions to bypass
Privilege Escalation Via CRUD KMS Policy Can use wildcard in policy Actions to bypass
Privilege Escalation Via CRUD Lambda Policy Can use wildcard in policy Actions to bypass
Privilege Escalation Via CRUD S3 Policy Can use wildcard in policy Actions to bypass
Privilege Escalation Via CloudFormation Policy Can use wildcard in policy Actions to bypass
Privilege Escalation Via DataPipeline Can use wildcard in policy Actions to bypass
Privilege Escalation Via EC2 Policy Can use wildcard in policy Actions to bypass
Privilege Escalation Via Glue Policy Can use wildcard in policy Actions to bypass
Privilege Escalation Via Lambda Policy Can use wildcard in policy Actions to bypass
Privilege Escalation Via SSM Can use wildcard in policy Actions to bypass
Privilege Escalation via CRUD DynamoDB Can use wildcard in policy Actions to bypass
S3 Brute Force Brute force attempts using S3 GetObject. What if the caller uses HeadObject?
S3 Bucket Access Point Exposed This can be easily bypassed if a bogus condition that always evaluates to true is used in the policy
S3 Bucket Exposed via Policy This can be easily bypassed if a bogus condition that always evaluates to true is used in the policy
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment