From 8ddde32258ead0ba237966889a6b854b67751b87 Mon Sep 17 00:00:00 2001 From: Nick Hakmiller <49166439+nhakmiller@users.noreply.github.com> Date: Mon, 22 Jul 2024 07:29:27 -0700 Subject: [PATCH] Update default timeouts (#1294) * bump some default timeouts * more tweaking * more bumps --------- Co-authored-by: Nicholas Hakmiller --- ...rail_stopinstance_followed_by_modifyinstanceattributes.yml | 2 +- .../aws_potentially_compromised_service_role.yml | 4 ++-- .../aws_privilege_escalation_via_user_compromise.yml | 4 ++-- correlation_rules/aws_user_takeover_via_password_reset.yml | 2 +- ...cp_cloud_run_service_create_followed_by_set_iam_policy.yml | 2 +- ...advanced_security_change_not_followed_by_repo_archived.yml | 4 ++-- correlation_rules/okta_login_without_push.yml | 4 ++-- correlation_rules/potential_compromised_okta_credentials.yml | 4 ++-- correlation_rules/secret_exposed_and_not_quarantined.yml | 4 ++-- correlation_rules/snowflake_data_exfiltration.yml | 2 +- 10 files changed, 16 insertions(+), 16 deletions(-) diff --git a/correlation_rules/aws_cloudtrail_stopinstance_followed_by_modifyinstanceattributes.yml b/correlation_rules/aws_cloudtrail_stopinstance_followed_by_modifyinstanceattributes.yml index c60c8ee75..8642ad7fd 100644 --- a/correlation_rules/aws_cloudtrail_stopinstance_followed_by_modifyinstanceattributes.yml +++ b/correlation_rules/aws_cloudtrail_stopinstance_followed_by_modifyinstanceattributes.yml @@ -23,7 +23,7 @@ Detection: LookbackWindowMinutes: 90 Schedule: RateMinutes: 60 - TimeoutMinutes: 1 + TimeoutMinutes: 5 Tests: - Name: Instance Stopped, Followed By Script Change ExpectedResult: true diff --git a/correlation_rules/aws_potentially_compromised_service_role.yml b/correlation_rules/aws_potentially_compromised_service_role.yml index 799628aa8..54018eacc 100644 --- a/correlation_rules/aws_potentially_compromised_service_role.yml +++ b/correlation_rules/aws_potentially_compromised_service_role.yml @@ -23,7 +23,7 @@ Detection: - On: requestParameters.roleArn Schedule: RateMinutes: 60 - TimeoutMinutes: 2 + TimeoutMinutes: 15 LookbackWindowMinutes: 1440 Tests: - Name: Role Assumed By Service, Followed By Role Assumed By User @@ -61,4 +61,4 @@ Tests: - ID: Role Assumed by User Matches: requestParameters.roleArn: - FAKE_ROLE_ARN: [0] \ No newline at end of file + FAKE_ROLE_ARN: [0] diff --git a/correlation_rules/aws_privilege_escalation_via_user_compromise.yml b/correlation_rules/aws_privilege_escalation_via_user_compromise.yml index 499bdfb03..a1fc7b0b1 100644 --- a/correlation_rules/aws_privilege_escalation_via_user_compromise.yml +++ b/correlation_rules/aws_privilege_escalation_via_user_compromise.yml @@ -20,7 +20,7 @@ Detection: - On: p_alert_context.ip_accessKeyId Schedule: RateMinutes: 15 - TimeoutMinutes: 2 + TimeoutMinutes: 5 LookbackWindowMinutes: 60 Tests: - Name: Access Key Created and Used from Same IP @@ -69,4 +69,4 @@ Tests: - ID: User Accessed Matches: p_alert_context.ip_accessKeyId: - 1.1.1.1-FAKE_ACCESS_KEY_ID: [30] \ No newline at end of file + 1.1.1.1-FAKE_ACCESS_KEY_ID: [30] diff --git a/correlation_rules/aws_user_takeover_via_password_reset.yml b/correlation_rules/aws_user_takeover_via_password_reset.yml index 3792a8f5f..6183b6d7a 100644 --- a/correlation_rules/aws_user_takeover_via_password_reset.yml +++ b/correlation_rules/aws_user_takeover_via_password_reset.yml @@ -20,7 +20,7 @@ Detection: - On: sourceIPAddress Schedule: RateMinutes: 15 - TimeoutMinutes: 2 + TimeoutMinutes: 5 LookbackWindowMinutes: 60 Tests: - Name: Password Reset, Then Login From Same IP diff --git a/correlation_rules/gcp_cloud_run_service_create_followed_by_set_iam_policy.yml b/correlation_rules/gcp_cloud_run_service_create_followed_by_set_iam_policy.yml index c0643468d..51abac686 100644 --- a/correlation_rules/gcp_cloud_run_service_create_followed_by_set_iam_policy.yml +++ b/correlation_rules/gcp_cloud_run_service_create_followed_by_set_iam_policy.yml @@ -26,7 +26,7 @@ Detection: LookbackWindowMinutes: 90 Schedule: RateMinutes: 60 - TimeoutMinutes: 1 + TimeoutMinutes: 5 Tests: - Name: GCP Service Run, Followed By IAM Policy Change From Same IP ExpectedResult: true diff --git a/correlation_rules/github_advanced_security_change_not_followed_by_repo_archived.yml b/correlation_rules/github_advanced_security_change_not_followed_by_repo_archived.yml index a581109c3..2e04758b2 100644 --- a/correlation_rules/github_advanced_security_change_not_followed_by_repo_archived.yml +++ b/correlation_rules/github_advanced_security_change_not_followed_by_repo_archived.yml @@ -21,7 +21,7 @@ Detection: LookbackWindowMinutes: 15 Schedule: RateMinutes: 10 - TimeoutMinutes: 1 + TimeoutMinutes: 5 Tests: - Name: Security Change on Repo, Followed By Same Repo Archived ExpectedResult: false @@ -56,4 +56,4 @@ Tests: Matches: p_alert_context.repo: my-org/example-repo: - - "2024-06-01T10:00:00Z" \ No newline at end of file + - "2024-06-01T10:00:00Z" diff --git a/correlation_rules/okta_login_without_push.yml b/correlation_rules/okta_login_without_push.yml index 7e26e5e20..28d21d402 100644 --- a/correlation_rules/okta_login_without_push.yml +++ b/correlation_rules/okta_login_without_push.yml @@ -26,7 +26,7 @@ Detection: To: new.email Schedule: RateMinutes: 5 - TimeoutMinutes: 2 + TimeoutMinutes: 3 LookbackWindowMinutes: 30 Tests: - Name: Okta Login, Followed By Push Authorized Login @@ -62,4 +62,4 @@ Tests: Matches: new.email: samwise.gamgee@hobbiton.com: - - 3 \ No newline at end of file + - 3 diff --git a/correlation_rules/potential_compromised_okta_credentials.yml b/correlation_rules/potential_compromised_okta_credentials.yml index 720f21466..4c6ba5cc5 100644 --- a/correlation_rules/potential_compromised_okta_credentials.yml +++ b/correlation_rules/potential_compromised_okta_credentials.yml @@ -25,7 +25,7 @@ Detection: To: new.employee.email Schedule: RateMinutes: 5 - TimeoutMinutes: 1 + TimeoutMinutes: 3 LookbackWindowMinutes: 30 Tests: - Name: Login Without Marker, Followed By Phishing Detection @@ -61,4 +61,4 @@ Tests: Matches: actor.alternateId: frodo.baggins@hobbiton.com: - - 0 \ No newline at end of file + - 0 diff --git a/correlation_rules/secret_exposed_and_not_quarantined.yml b/correlation_rules/secret_exposed_and_not_quarantined.yml index e39b89707..d2f61edcc 100644 --- a/correlation_rules/secret_exposed_and_not_quarantined.yml +++ b/correlation_rules/secret_exposed_and_not_quarantined.yml @@ -23,7 +23,7 @@ Detection: To: SecretNotQuarantined Schedule: RateMinutes: 10 - TimeoutMinutes: 2 + TimeoutMinutes: 3 LookbackWindowMinutes: 30 Tests: - Name: Secret Found and Quarantied @@ -43,4 +43,4 @@ Tests: - ID: SecretFound Matches: foo: - bar: [0] \ No newline at end of file + bar: [0] diff --git a/correlation_rules/snowflake_data_exfiltration.yml b/correlation_rules/snowflake_data_exfiltration.yml index ac0e0929c..69fcfe6b6 100644 --- a/correlation_rules/snowflake_data_exfiltration.yml +++ b/correlation_rules/snowflake_data_exfiltration.yml @@ -29,7 +29,7 @@ Detection: - On: stage Schedule: RateMinutes: 720 - TimeoutMinutes: 2 + TimeoutMinutes: 15 LookbackWindowMinutes: 1440 Tests: - Name: Data Exfiltration