This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Sysdig Secure for cloud

Sysdig Secure for cloud is the software that connects Sysdig Secure features to your cloud environments to provide unified threat detection, compliance, forensics, and analysis.

Because modern cloud applications are no longer just virtualized compute resources, but a superset of cloud services on which businesses depend, controlling the security of your cloud accounts is essential. Errors can expose an organization to risks that could bring resources down, infiltrate workloads, exfiltrate secrets, create unseen assets, or otherwise compromise the business or reputation. As the number of cloud services and configurations available grows exponentially, using a cloud security platform protects against having an unseen misconfiguration turn into a serious security issue.

Supported Clouds

Features

Installation

Setup options, details, troubleshooting, and validation steps for the various cloud vendors under Installations

1 - AWS

This section covers offering description
Check setup options, details, troubleshooting, and validation steps under Installations - Cloud - AWS

Available Features

  • Threat detection based on auditing CloudTrail events
  • Compliance Security Posture Management (CSPM), including CIS AWS Benchmark compliance assessments
  • Container registry scanning for ECR
  • Image scanning for Fargate on ECS
  • Permissions and Entitlements management (CIEM)

Threat Detection Based on CloudTrail

Threat Detection leverages audit logs from AWS CloudTrail plus Falco rules to detect threats as soon as they occur and bring governance, compliance, and risk auditing for your cloud accounts.

A rich set of Falco rules, an AWS Best Practices default policy, and an AWS CloudTrail policy type for creating customized policies are included. These correspond to security standards and benchmarks such as: NIST 800-53, PCI DSS, SOC 2, MITRE ATT&CK®, CIS AWS, and AWS Foundational Security Best Practices

CSPM/Compliance with CIS AWS Benchmarks

A new cloud compliance standard has been added to the Sysdig compliance feature -  CIS AWS Benchmark. This assessment is based on an  open-source engine - Cloud Custodian - and is an initial release of Sysdig Cloud Security Posture Management (CSPM) engine. This first Sysdig cloud compliance standard will be followed by additional security compliance and regulatory standards for GCP, IBM Cloud and Azure.

The CIS AWS Benchmarks assessment evaluates your AWS services  against the benchmark requirements and  returns the results and remediation activities you need to fix misconfigurations in your cloud environment. We’ve also included several UI improvements to provide additional details such as:  control descriptions, affected resources, failing assets, and guided remediation steps, both manual and CLI-based when available.

ECR Registry Scanning

ECR Registry Scanning automatically scans all container images pushed to all your Elastic Container Registries, so you have a vulnerability report available in your Sysdig Secure dashboard at all times, without having to set up any additional pipeline.

An ephemeral CodeBuild pipeline is created each time a new image is pushed, which executes an inline scan based on your defined scan policies. Default policies cover vulnerabilities and dockerfile best practices, and you can define advanced rules yourself.

Fargate Image Scanning on ECS

Fargate Image Scanning automatically scans any container image deployed on a serverless Fargate task that run on Elastic Container Service. This includes public images that live in registries other than ECR, as well as private ones for which you set the credentials.

An ephemeral CodeBuild pipeline is automatically created when a container is deployed on ECS Fargate to execute the inline scan.

Identity and Access Management

As cloud accounts proliferate, excessive permissions can become a security risk and a management headache. Sysdig Secure for cloud provides a Permissions and Entitlements module under Posture, that allows you to:

  • Gain visibility into all cloud identities and their privileges: get a comprehensive view into access permissions across all AWS users and services
  • Enforce least privilege: eliminate excessive permissions by applying least-privilege policies to users and services with automatically generated IAM policies. Sysdig proposes policies based on analyzing which entitlements are granted versus which are actually used.
  • Simplify audit of access controls to meet compliance requirements: use reports for regular access reviews to evaluate active and inactive user permissions and activity.

1.1 - CloudTrail Falco rules

Scroll Top APPRUNNER 4rules AUTOSCALING 2rules CLOUDSHELL 1rules CLOUDTRAIL 7rules CLOUDWATCH 3rules CONFIG 19rules CONSOLE 3rules DMS 1rules EBS 1rules EC2 20rules ECR 1rules ECS 8rules ECS EXEC 3rules EFS 1rules ELASTICSEARCH 2rules ELB 4rules FARGATE 8rules GUARDDUTY 6rules IAM 39rules KMS 5rules LAMBDA 6rules RDS 13rules ROUTE53 3rules S3 14rules SAGEMAKER 1rules SECRETSMANAGER 1rules SECURITYHUB 9rules VPC 14rules WAF 2rules OTHER 2rules

Total 189 rules.

APPRUNNER

Create App Runner Service from Code Repository

Detect the building and deployment of an App Runner service from a code repository.

cloud aws aws_apprunner
Create App Runner Service from Image Repository

Detect the deployment of an App Runner service from an image repository.

cloud aws aws_apprunner
Delete App Runner Service

Detect the deletion of an App Runner service.

cloud aws aws_apprunner
Deploy App Runner Service

Detect the deployment of an App Runner service.

cloud aws aws_apprunner

AUTOSCALING

Create Autoscaling Group without ELB Health Checks

Detect the creation of an autoscaling group associated with with a load balancer which is not using health checks.

cloud aws aws_autoscaling
Update Autoscaling Group without ELB Health Checks

Detect the update of an autoscaling group associated with with a load balancer which is not using health checks.

cloud aws aws_autoscaling

CLOUDSHELL

CloudShell Environment Created

Detect creation of a new Cloud Shell environment.

cloud aws aws_cloudshell

CLOUDTRAIL

CloudTrail Trail Created

Detect creation of a new trail.

cloud aws aws_cloudtrail mitre_TA0009-collection mitre_T1530-data-from-cloud-storage-object
CloudTrail Trail Deleted

Detect deletion of an existing trail.

cloud aws aws_cloudtrail mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
CloudTrail Logfile Encryption Disabled

Detect disabling the CloudTrail logfile encryption.

cloud aws aws_cloudtrail
CloudTrail Logfile Validation Disabled

Detect disabling the CloudTrail logfile validation.

cloud aws aws_cloudtrail
CloudTrail Logging Disabled

The CloudTrail logging has been disabled, this could be potentially malicious.

cloud aws aws_cloudtrail mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
CloudTrail Multi-region Disabled

Detect disabling CloudTrail multi-region.

cloud aws aws_cloudtrail
CloudTrail Trail Updated

Detect update of an existing trail.

cloud aws aws_cloudtrail mitre_TA0009-collection mitre_TA0040-impact mitre_T1492-store-data-manipulation mitre_T1530-data-from-cloud-storage-object

CLOUDWATCH

CloudWatch Delete Alarms

Detect deletion of an alarm.

cloud aws aws_cloudwatch mitre_TA0005-defense-evasion mitre_T1066-indicator-removal-from-tools
CloudWatch Delete Log Group

Detect deletion of a CLoudWatch log group.

cloud aws aws_cloudwatch mitre_TA0040-impact mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools mitre_T1485-data-destruction
CloudWatch Delete Log Stream

Detect deletion of a CLoudWatch log stream.

cloud aws aws_cloudwatch mitre_TA0040-impact mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools mitre_T1485-data-destruction

CONFIG

Delete Config Rule

Detect deletion of a configuration rule.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Delete Configuration Aggregator

Detect deletion of the configuration aggregator.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Delete Configuration Recorder

Detect deletion of the configuration recorder.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Delete Conformance Pack

Detect deletion of a conformance pack.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Delete Delivery Channel

Detect deletion of the delivery channel.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Delete Organization Config Rule

Detect deletion of an organization config rule.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Delete Organization Conformance Pack

Detect deletion of an organization conformance pack.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Delete Remediation Configuration

Detect deletion of a remediation configuration.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Delete Retention Configuration

Detect deletion of the retention configuration with details about retention period (number of days) that AWS Config stores historical information.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Put Config Rule

Detect addition or update in an AWS Config rule.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Put Configuration Aggregator

Detect creation and update of the configuration aggregator with the selected source accounts and regions.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Put Conformance Pack

Detect creation or update of a conformance pack.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Put Delivery Channel

Detect creation of a delivery channel.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Put Organization Config Rule

Detect addition or update in an AWS Organization Config rule.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Put Organization Conformance Pack

Detect deployment of conformance packs across member accounts in an AWS Organization.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Put Remediation Configurations

Detect addition or update of the remediation configuration with a specific AWS Config rule with the selected target or action.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Put Remediation Exceptions

Detect addition of a new exception or updates an existing exception for a specific resource with a specific AWS Config rule.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Put Retention Configuration

Detect creation or update of the retention configuration with details about retention period (number of days) that AWS Config stores historical information.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Stop Configuration Recorder

Detect stoping the configuration recorder.

cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools

CONSOLE

Console Login Through Assume Role

Detect a console login through Assume Role.

cloud aws aws_console aws_iam
Console Login Without MFA

Detect a console login without MFA.

cloud aws aws_console aws_iam
Console Root Login Without MFA

Detect root console login without MFA.

cloud aws aws_console aws_iam mitre_TA0040-impact mitre_T1531-account-access-removal

DMS

Create Public DMS Replication Instance

Detect creation of a public DMS replication instance.

cloud aws aws_dms

EBS

EBS Volume Creation without Encryption at Rest

Detect creation of an EBS volume without encryption at rest enabled.

cloud aws aws_ebs

EC2

Allocate New Elastic IP Address to AWS Account

Detect that a public IP address has been allocated to the account.

cloud aws aws_ec2
Associate Elastic IP Address to AWS Network Interface

Detect that a public IP address has been associated with a network interface.

cloud aws aws_ec2
Authorize Security Group Egress

Detect addition of the specified egress rules to a security group.

cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Authorize Security Group Ingress

Detect addition of the specified ingress rules to a security group.

cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Create Snapshot

Detect creation of an EBS volume snapshot and stores it in Amazon S3.

cloud aws aws_ec2
Delete Subnet

Detect deletion of the specified subnet.

cloud aws aws_ec2 mitre_TA0040-impact mitre_T1485-data-destruction
Describe Instances

Detect description of the specified EC2 instances or all EC2 instances.

cloud aws aws_ec2
Disable EBS Encryption by Default

Detect disabling EBS encryption by default for an account in the current region.

cloud aws aws_ec2 mitre_TA0040-impact mitre_T1492-store-data-manipulation
Make EBS Snapshot Public

Detect making public an EBS snapshot.

cloud aws aws_ec2
EC2 Serial Console Access Enabled

Detect EC2 serial Console Acess enabled in the account for a specific region.

cloud aws aws_ec2
Get Password Data

Detect retrieval of the encrypted administrator password for a running Windows instance.

cloud aws aws_ec2 mitre_TA0003-persistence mitre_T1108-redundant-access
Modify Image Attribute

Detect modification of the specified attribute of the specified AMI.

cloud aws aws_ec2 mitre_TA0010-exfiltration
Modify Snapshot Attribute

Detect addition or removal of permission settings for the specified EC2 snapshot.

cloud aws aws_ec2 mitre_TA0010-exfiltration mitre_T1537-transfer-data-to-cloud-account
Replace Route

Detect replacing an existing route within a route table in a VPC.

cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Revoke Security Group Egress

Detect removal of the specified egress rules from a security group.

cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Revoke Security Group Ingress

Detect removal of the specified ingress rules from a security group.

cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Run Instances in Non-approved Region

Detect launching of a specified number of instances in a non-approved region.

cloud aws aws_ec2
Run Instances with Non-standard Image

Detect launching of a specified number of instances with a non-standard image.

cloud aws aws_ec2
Run Instances

Detect launching of a specified number of instances.

cloud aws aws_ec2
Delete Cluster

Detect deletion of the specified cluster.

cloud aws aws_ec2 mitre_TA0040-impact mitre_T1485-data-destruction

ECR

ECR Image Pushed

Detect a new image has been pushed to an ECR registry

cloud aws aws_ecr

ECS

ECS Service Created

Detect a new service is created in ECS.

cloud aws aws_ecs aws_fargate
ECS Service Deleted

Detect a service is deleted in ECS.

cloud aws aws_ecs aws_fargate
Execute Interactive Command inside an ECS Container

Detect execution of an interactive command inside an ECS container.

cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter
Execute Command inside an ECS Container

Detect execution of a command inside an ECS container.

cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution
ECS Task Run or Started

Detect a new task is started in ECS.

cloud aws aws_ecs aws_fargate
ECS Task Stopped

Detect a task is stopped in ECS.

cloud aws aws_ecs aws_fargate
Terminal Shell in ECS Container

A terminal shell has been executed inside an ECS container.

cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter mitre_T1059.004-unix-shell
ECS Service Task Definition Updated

Detect a service task definition is updated in ECS.

cloud aws aws_ecs aws_fargate

ECS EXEC

Execute Interactive Command inside an ECS Container

Detect execution of an interactive command inside an ECS container.

cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter
Execute Command inside an ECS Container

Detect execution of a command inside an ECS container.

cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution
Terminal Shell in ECS Container

A terminal shell has been executed inside an ECS container.

cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter mitre_T1059.004-unix-shell

EFS

Create Unencrypted EFS

Detect creation of an unencrypted elastic file system.

cloud aws aws_efs

ELASTICSEARCH

Elasticsearch Domain Creation without Encryption at Rest

Detect creation of an Elasticsearch domain without encryption at rest enabled.

cloud aws aws_elasticsearch
Elasticsearch Domain Creation without VPC

Detect creation of an Elasticsearch domain without a VPC.

cloud aws aws_elasticsearch

ELB

Create HTTP Target Group without SSL

Detect creation of HTTP target group not using SSL.

cloud aws aws_elb
Create Internet-facing AWS Public Facing Load Balancer

Detect creation of an AWS internet-facing load balancer.

cloud aws aws_elb
Delete Listener

Detect deletion of the specified listener.

cloud aws aws_elb mitre_TA0001-initial-access mitre_T1190-exploit-public-facing-application
Modify Listener

Detect replacing the specified properties of the specified listener.

cloud aws aws_elb mitre_TA0001-initial-access mitre_T1190-exploit-public-facing-application

FARGATE

ECS Service Created

Detect a new service is created in ECS.

cloud aws aws_ecs aws_fargate
ECS Service Deleted

Detect a service is deleted in ECS.

cloud aws aws_ecs aws_fargate
Execute Interactive Command inside an ECS Container

Detect execution of an interactive command inside an ECS container.

cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter
Execute Command inside an ECS Container

Detect execution of a command inside an ECS container.

cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution
ECS Task Run or Started

Detect a new task is started in ECS.

cloud aws aws_ecs aws_fargate
ECS Task Stopped

Detect a task is stopped in ECS.

cloud aws aws_ecs aws_fargate
Terminal Shell in ECS Container

A terminal shell has been executed inside an ECS container.

cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter mitre_T1059.004-unix-shell
ECS Service Task Definition Updated

Detect a service task definition is updated in ECS.

cloud aws aws_ecs aws_fargate

GUARDDUTY

Delete Detector

Detect deletion of an Amazon GuardDuty detector.

cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Guard Duty Delete Members

Detect deletion of GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.

cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Disable GuardDuty

Detect disabling of GuardDuty.

cloud aws aws_guardduty
Guard Duty Disassociate from Master Account

Detect disassociation of the current GuardDuty member account from its administrator account.

cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Guard Duty Disassociate Members

Detect disassociation of GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.

cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Stop Monitoring Members

Detect stopping GuardDuty monitoring for the specified member accounts.

cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools

IAM

Console Login Failure

Detect a console login failure

cloud aws aws_iam
Console Login Success From Untrusted IP

Detect a console login success from an untrusted IP address

cloud aws aws_iam
Console Login Success

Detect a console login success

cloud aws aws_iam
Console Login Through Assume Role

Detect a console login through Assume Role.

cloud aws aws_console aws_iam
Console Login Without MFA

Detect a console login without MFA.

cloud aws aws_console aws_iam
Console Root Login Without MFA

Detect root console login without MFA.

cloud aws aws_console aws_iam mitre_TA0040-impact mitre_T1531-account-access-removal
Logged in without Using MFA

(DEPRECATED) Detect user login without using MFA (multi-factor authentication). Use "Console Login Without MFA" instead.

cloud aws aws_iam
Password Recovery Requested

Detect AWS IAM password recovery requests.

cloud aws aws_iam mitre_TA0001-initial-access mitre_T1078-valid-accounts
Put Inline Policy in Group to Allow Access to All Resources

Detect putting an inline policy in a group that allows access to all resources.

cloud aws aws_iam
Create Access Key for Root User

Detect creation of an access key for root.

cloud aws aws_iam mitre_TA0001-initial-access mitre_T1078-valid-accounts
Deactivate Hardware MFA for Root User

Detect deactivating hardware MFA configuration for root.

cloud aws aws_iam
Deactivate MFA for Root User

Detect deactivating MFA configuration for root.

cloud aws aws_iam
Deactivate Virtual MFA for Root User

Detect deactivating virtual MFA configuration for root.

cloud aws aws_iam
Delete Virtual MFA for Root User

Detect deleting MFA configuration for root.

cloud aws aws_iam pcs_dss_iam.5
Root User Executing AWS Command

Detect root user executing AWS command.

cloud aws aws_iam
Add AWS User to Group

Detect adding an user to a group.

cloud aws aws_iam
Attach Administrator Policy

Detect attaching an administrator policy to a user.

cloud aws aws_iam
Attach IAM Policy to User

Detect attaching an IAM policy to a user.

cloud aws aws_iam
Create Group

Detect creation of a new user group.

cloud aws aws_iam mitre_TA0003-persistence mitre_T1108-redundant-access
Create Security Group Rule Allowing SSH Ingress

Detect creation of security group rule allowing SSH ingress.

cloud aws aws_iam
Create Security Group Rule Allowing Ingress Open to the World

Detect creation of security group rule allowing ingress open to the world.

cloud aws aws_iam
Create AWS user

Detect creation of a new AWS user.

cloud aws aws_iam mitre_TA0003-persistence mitre_T1136-create-account
Create IAM Policy that Allows All

Detect creation of IAM policy that allows all.

cloud aws aws_iam
Deactivate MFA for User Access

Detect deactivating MFA configuration for user access.

cloud aws aws_iam
Delete Group

Detect deletion of a user group.

cloud aws aws_iam mitre_TA0040-impact mitre_T1531-account-access-removal
Delete AWS user

Detect deletion of an AWS user.

cloud aws aws_iam
Put IAM Inline Policy to User

Detect putting an IAM inline policy to an user.

cloud aws aws_iam
Remove AWS User from Group

Detect removing a user from a group.

cloud aws aws_iam
Update Account Password Policy Not Expiring

Detect updating password policy not expiring at all.

cloud aws aws_iam
Update Account Password Policy Expiring in More Than 90 Days

Detect updating password policy expiring in more than 90 days.

cloud aws aws_iam
Update Account Password Policy Not Preventing Reuse of Last 24 Passwords

Detect updating password policy not preventing reuse of the last 24 passwords.

cloud aws aws_iam
Update Account Password Policy Not Preventing Reuse of Last 4 Passwords

Detect updating password policy not preventing reuse of the last 4 passwords.

cloud aws aws_iam
Update Account Password Policy Not Requiring 14 Characters

Detect updating password policy not requiring a minimum length of 14 characters.

cloud aws aws_iam
Update Account Password Policy Not Requiring 7 Characters

Detect updating password policy not requiring a minimum length of 7 characters.

cloud aws aws_iam
Update Account Password Policy Not Requiring Lowercase

Detect updating password policy not requiring the use of an lowercase letter

cloud aws aws_iam
Update Account Password Policy Not Requiring Number

Detect updating password policy not requiring the use of a number

cloud aws aws_iam
Update Account Password Policy Not Requiring Symbol

Detect updating password policy not requiring the use of a symbol

cloud aws aws_iam
Update Account Password Policy Not Requiring Uppercase

Detect updating password policy not requiring the use of an uppercase letter

cloud aws aws_iam
Update Assume Role Policy

Detect modifying a role.

cloud aws aws_iam mitre_TA0006-credential-access mitre_T1110-brute-force

KMS

Create Customer Master Key

Detect creation of a new CMK (with rotation disabled).

cloud aws aws_kms
Disable CMK Rotation

Detect disabling of a customer master key's rotation.

cloud aws aws_kms
Disable Key

Detect disabling a customer master key (CMK), thereby preventing its use for cryptographic operations.

cloud aws aws_kms
Remove KMS Key Rotation

Detect removal of KMS key rotation.

cloud aws aws_kms
Schedule Key Deletion

Detect scheduling of the deletion of a customer master key.

cloud aws aws_kms

LAMBDA

Create Lambda Function Not Using Latest Runtime

Detect creation of a Lambda function not using the latest runtime.

cloud aws aws_lambda mitre_T1190-exploit-public-facing-application
Create Lambda Function Using Unsupported Runtime

Detect creation of a Lambda function using an unsupported runtime.

cloud aws aws_lambda mitre_T1190-exploit-public-facing-application
Create Lambda Function

Detect creation of a Lambda function.

cloud aws aws_lambda mitre_TA0003-persistence
Dissociate Lambda Function from VPC

Detect dissociation of a Lambda function from a VPC.

cloud aws aws_lambda
Update Lambda Function Code

Detect updates to a Lambda function code.

cloud aws aws_lambda mitre_TA0003-persistence mitre_T1496-resource-hijacking
Update Lambda Function Configuration

Detect updates to a Lambda function configuration.

cloud aws aws_lambda mitre_TA0003-persistence mitre_T1496-resource-hijacking

RDS

Authorize DB Security Group Ingress

Detect enabling ingress to a DBSecurityGroup using one of two forms of authorization.

cloud aws aws_rds
Create DB Cluster

Detect creation of a database cluster.

cloud aws aws_rds mitre_TA0003-persistence mitre_T1108-redundant-access
Create DB Security Group

Detect creation of a database security group.

cloud aws aws_rds
Create Global Cluster

Detect creation of a global cluster.

cloud aws aws_rds mitre_TA0003-persistence mitre_T1108-redundant-access
Delete DB Cluster

Detect deletion of a database cluster.

cloud aws aws_rds mitre_TA0040-impact mitre_T1485-data-destruction
Delete DB Security Group

Detect deletion of a database security group.

cloud aws aws_rds
Delete DB Snapshot

Detect deletion of a database snapshot.

cloud aws aws_rds mitre_TA0040-impact mitre_T1485-data-destruction
Make RDS DB Instance Public

Detect making public an RDS DB instance.

cloud aws aws_rds
Make RDS Snapshot Public

Detect making public an RDS snapshot.

cloud aws aws_rds
Modify RDS Snapshot Attribute

Detect modification of an RDS snapshot attribute.

cloud aws aws_rds mitre_TA0010-exfitration mitre_T1537-transfer-data-to-cloud-account
Revoke DB Security Group Ingress

Detect revocation ingress from a DBSecurityGroup for previously authorized IP ranges or EC2 or VPC Security Groups.

cloud aws aws_rds
Stop DB Cluster

Detect stopping of a database cluster.

cloud aws aws_rds mitre_TA0040-impact mitre_T1489-service-stop
Stop DB Instance

Detect stopping of a database instance.

cloud aws aws_rds mitre_TA0040-impact mitre_T1489-service-stop

ROUTE53

Associate VPC with Hosted Zone

Detect association of an Amazon VPC with a private hosted zone.

cloud aws aws_route53
Change Resource Record Sets

Detect creation, changes, or deletion of a resource record set.

cloud aws aws_route53
Register Domain

Detect registry of a new domain.

cloud aws aws_route53

S3

Delete Bucket CORS

Detect deletion of the cors configuration for a bucket.

cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
Delete Bucket Encryption

Detect deleting configuration to use encryption for bucket storage.

cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
Delete Bucket Lifecycle

Detect deletion of the lifecycle configuration from the specified bucket.

cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
Delete Bucket Policy

Detect deletion of the policy of a specified bucket.

cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
Delete Bucket Public Access Block

Detect deleting blocking public access to bucket.

cloud aws aws_s3
Delete Bucket Replication

Detect deletion of the replication configuration from the bucket.

cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
Read Object in Watched Bucket

Detect a Read operation on objects in watched buckets.

cloud aws aws_s3
List Buckets

Detect listing of all S3 buckets.

cloud aws aws_s3 mitre_TA0007-discovery mitre_T1083-file-and-directory-discovery
Put Bucket ACL

Detect setting the permissions on an existing bucket using access control lists.

cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
Put Bucket CORS

Detect setting the cors configuration for a bucket.

cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
Put Bucket Lifecycle

Detect creation or modification of a lifecycle configuration for the bucket [DEPRECATED use `Put Bucket Lifecycle Configuration` instead].

cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
Put Bucket Policy

Detect applying an Amazon S3 bucket policy to an Amazon S3 bucket.

cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
Put Bucket Replication

Detect creation of a replication configuration or the replacement of an existing one..

cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host
Put Object in Watched Bucket

Detect a Put operation on objects in watched buckets.

cloud aws aws_s3

SAGEMAKER

Create SageMaker Notebook Instance with Direct Internet Access

Detect creation of a SageMaker notebook instance with direct internet access.

cloud aws aws_sagemaker

SECRETSMANAGER

Get Secret Value

Detect retrieval of the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.

cloud aws aws_secretsmanager mitre_TA0006-credential-access mitre_T1528-steal-application-access-token

SECURITYHUB

Batch Disable Standards

Detect disabling of the standards specified by the provided StandardsSubscriptionArns.

cloud aws aws_securityhub
Delete Action Target

Detect deletion of a custom action target from Security Hub.

cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Security Hub Delete Members

Detect deletion the specified member accounts from Security Hub.

cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Disable Import Findings for Product

Detect disabling of the integration of the specified product with Security Hub.

cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Disable Security Hub

Detect disabling the Security Hub in the current region.

cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Security Hub Disassociate From Master Account

Detect disassociation of the current Security Hub member account from the associated master account.

cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Security Hub Disassociate Members

Detect disassociation of the current Security Hub member account from the associated master account.

cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Update Action Target

Detect updating the name and description of a custom action target in Security Hub.

cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Update Standards Control

Detect enabling or disabling of a standard control.

cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools

VPC

Accept VPC Peering Connection

Detect accepting an VPC peering connection.

cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Attach Internet Gateway

Detect attaching an internet gateway.

cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Create a Network ACL Entry Allowing Ingress Open to the World

Detect creation of access control list entry allowing ingress open to the world.

cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Create a Network ACL Entry

Detect creating a network ACL entry.

cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Create a Network ACL

Detect creating a network ACL.

cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Create VPC Route

Detect creating an VPC route.

cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Create VPC Peering Connection

Detect creating an VPC peering connection.

cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Create VPC with Default Security Group

Detect creation of a new VPC with default security group.

cloud aws aws_vpc
Create VPC with No Flow Log

Detect creation of a new VPC with no flow log.

cloud aws aws_vpc
Delete VPC Flow Log

Detect deleting VPC flow log.

cloud aws aws_vpc mitre_TA0005-defense-evasion mitre_T1066-indicator-removal-from-tools
Delete a Network ACL Entry

Detect deletion of a network ACL entry.

cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Delete a Network ACL

Detect deleting a network ACL.

cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Replace a Network ACL Association

Detect replacement of a network ACL association.

cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools
Replace a Network ACL Entry

Detect replacement of a network ACL entry.

cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-tools

WAF

Delete WAF Rule Group

Detect deleting a WAF rule group.

cloud aws aws_waf mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools
Delete Web ACL

Detect deleting a web ACL.

cloud aws aws_waf mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools

OTHER

AWS Command Executed by Untrusted User

Detect AWS command execution by an untrusted user.

cloud aws
AWS Command Executed on Unused Region

Detect AWS command execution on unused regions.

cloud aws mitre_T1526-cloud-service-discovery mitre_T1535-unused-unsupported-cloud-regions

2 - GCP

This section covers offering description
Check setup options, details, troubleshooting, and validation steps under Installations - Cloud - GCP

Available Features

  • Threat detection based on GCP Cloud Audit Logs integration
  • Compliance Security Posture Management (CSPM), including CIS GCP and CIS GKE Benchmark compliance assessments
  • GCP Cloud Container scanning
  • Image scanning on GCP

Threat Detection Based on GCP Cloud Audit Logs

Threat Detection leverages audit logs from GCP Cloud Audit logs plus Falco rules to detect threats as soon as they occur and bring governance, compliance, and risk auditing for your cloud accounts.

A rich set of Falco rules, a GCP Best Practices default policy, and a GCP policy type for creating customized policies are included. These correspond to security standards and benchmarks such as: NIST 800-53, PCI DSS, SOC 2, MITRE ATT&CK®, and Google Cloud Security best practices.

CSPM/Compliance with CIS GKE and CIS GCP Benchmarks

A new cloud compliance standard has been added to the Sysdig compliance feature -  CIS GCP benchmarks. These assessments are based on an  open-source engine - Cloud Custodian - in Sysdig’s Cloud Security Posture Management (CSPM) engine.

The assessments evaluate your Google Cloud services  against the benchmark requirements and  returns the results and remediation activities you need to fix misconfigurations in your cloud environment.

GCP Cloud Container Scanning

GCP Cloud Container Scanning uses a PubSub topic to automatically detect any container image pushed to registries on Google Container Registry or Google Artifact Registry, as well as images deployed to Google Cloud Run. An ephemeral Google Cloud Build pipeline is then created to scan that image so a vulnerability report is available in your Sysdig backend.

2.1 - Auditlog Falco rules

Scroll Top APIKEYS 1rules CLOUDFUNCTIONS 3rules CLOUDKMS 2rules CLOUDRESOURCEMANAGER 1rules CLOUDRUN 2rules DNS 1rules GCE 1rules GKE 4rules IAM 5rules LOGGING 1rules MONITORING 2rules SQL 3rules STORAGE BUCKETS 7rules VM 5rules VPC 2rules VPC NETWORKS 2rules OTHER 2rules

Total 44 rules.

APIKEYS

GCP Create API Keys for a Project

Detect creation of API keys for a project.

cloud gcp gcp_apikeys cis_controls_16 cis_gcp_1.12

CLOUDFUNCTIONS

GCP Create Cloud Function Not Using Latest Runtime

Detect creation of a Cloud Function using and old or deprecated runtime.

cloud gcp gcp_cloudfunctions soc2 soc2_CC7.1 mitre_T1190-exploit-public-facing-application
GCP Create Cloud Function

Detect creation of a Cloud function.

cloud gcp gcp_cloudfunctions mitre_TA0003-persistence
GCP Update Cloud Function

Detect updates to a Cloud Function.

cloud gcp gcp_cloudfunctions mitre_TA0003-persistence mitre_T1496-resource-hijacking

CLOUDKMS

GCP Create KMS Key Without Rotation

Detect creation of a new KMS with rotation disabled.

cloud gcp gcp_cloudkms soc2 soc2_CC5.2 soc2_CC6.6 ISO_27001 ISO_27001_A.10.1.2
GCP Remove KMS Key Rotation

Detect removal of KMS key rotation.

cloud gcp gcp_cloudkms soc2 soc2_CC6.1 soc2_CC8.1 ISO_27001 ISO_27001_A.10.1.2 ISO_27001_A.18.1.5 GDPR GDPR_32.1 GDPR_32.2

CLOUDRESOURCEMANAGER

GCP Invitation Sent to Non-corporate Account

Detect sending invitations to not allowed corporate account.

cloud gcp gcp_cloudresourcemanager HIPAA HIPAA_164.308(a) HIPAA_164.312(a) HIPAA_164.312(d) HITRUST HITRUST_CSF_01.q cis_controls_16.2 cis_gcp_1.1 mitre_T1136-create-account

CLOUDRUN

CloudRun Create Service

Detect creation of a CloudRun Service.

cloud gcp gcp_cloudrun
CloudRun Replace Service

Detect the replacement of a CloudRun Service.

cloud gcp gcp_cloudrun

DNS

GCP Create or Patch DNS Zone without DNSSEC

Detect creation of a DNS zone with DNSSEC disabled or a modification of a DNS zone to disable DNSSEC.

cloud gcp gcp_dns cis_controls_11.1 cis_gcp_3.3

GCE

GCP Describe Instance

Detect description of the specified GCE instance.

cloud gcp gcp_gce

GKE

GCP Delete DNS Zone

Detect the deletion of a DNS zone.

cloud gcp gcp_gke
GCP Delete GKE Cluster

Detect the deletion of a GKE cluster.

cloud gcp gcp_gke
GCP Delete GKE Node Pool

Detect the deletion of a GKE node pool.

cloud gcp gcp_gke
GCP Delete Router

Detect the deletion of a router.

cloud gcp gcp_gke

IAM

GCP Create GCP-managed Service Account Key

Detect creating an access key for a GCP-managed service account.

cloud gcp gcp_iam soc2 soc2_CC5.2 soc2_CC6.6 ISO_27001 ISO_27001_A.10.1.2 HIPAA HIPAA_164.312(e) HITRUST HITRUST_CSF_06.d HITRUST_CSF_10.g cis_controls_16 mitre_T1550-use-alternate-authentication-material
GCP Create User-managed Service Account Key

Detect creating an access key for a user-managed service account.

cloud gcp gcp_iam soc2 soc2_CC5.2 soc2_CC6.6 ISO_27001 ISO_27001_A.10.1.2 HIPAA HIPAA_164.312(e) HITRUST HITRUST_CSF_06.d HITRUST_CSF_10.g cis_controls_16 cis_gcp_1.4 mitre_T1550-use-alternate-authentication-material
GCP Delete IAM Role

Detect the deletion of an IAM role.

cloud gcp gcp_iam
GCP Operation by a Non-corporate Account

Detect executing an operation by a non-corporate account.

cloud gcp gcp_iam HIPAA HIPAA_164.308(a) HIPAA_164.312(a) HIPAA_164.312(d) HITRUST HITRUST_CSF_01.q cis_controls_16.2 cis_gcp_1.1
GCP Super Admin Executing Command

Detect super admin executing GPC command.

cloud gcp gcp_iam soc2 soc2_CC6.2 soc2_CC6.6 FedRAMP FedRAMP_AC-2(12) ISO_27001 ISO_27001_A.6.1.2 ISO_27001_A.9.2.3 HIPAA HIPAA_164.308(a) HIPAA_164.312(a) HIPAA_164.312(b) HITRUST_CSF HITRUST_CSF_01.c HITRUST_CSF_09.aa GDPR GDPR_25.1 GDPR_25.2 GDPR_25.3

LOGGING

GCP Update, Disable or Delete Sink

Detect the updating, disabling or deletion of a sink.

cloud gcp gcp_logging FedRAMP FedRAMP_AU-12(1) FedRAMP_AU-3(1) FedRAMP_AU-9(2) FedRAMP_CM-3(1) ISO_27001 ISO_27001_A.16.1.7 ISO_27001_A.18.1.3 HIPAA HIPAA_164.312(b) HITRUST HITRUST_CSF_09.aa HITRUST_CSF_10.k cis_controls_6.2 cis_controls_6.4 cis_gcp_2.2

MONITORING

GCP Monitoring Alert Deleted

Detect deletion of an alert.

cloud gcp gcp_monitoring FedRAMP FedRAMP_AU-12(1) FedRAMP_AU-3(1) FedRAMP_AU-9(2) FedRAMP_CM-3(1) ISO_27001 ISO_27001_A.16.1.7 ISO_27001_A.18.1.3 HIPAA HIPAA_164.312(b) HITRUST HITRUST_CSF_09.aa HITRUST_CSF_10.k mitre_TA0005-defense-evasion mitre_T1066-indicator-removal-from-tools mitre_T1562-impair-defenses mitre_T1562.008-disable-cloud-logs
GCP Monitoring Alert Updated

Detect updating of an alert.

cloud gcp gcp_monitoring FedRAMP FedRAMP_AU-12(1) FedRAMP_AU-3(1) FedRAMP_AU-9(2) FedRAMP_CM-3(1) ISO_27001 ISO_27001_A.16.1.7 ISO_27001_A.18.1.3 HIPAA HIPAA_164.312(b) HITRUST HITRUST_CSF_09.aa HITRUST_CSF_10.k mitre_TA0005-defense-evasion mitre_T1066-indicator-removal-from-tools

SQL

GCP Disable Automatic Backups for a Cloud SQL Instance

Detect that automatic backups have been disabled for a Cloud SQL instance.

cloud gcp gcp_sql cis_controls_10.1 cis_gcp_6.7
GCP Disable the Requirement for All Incoming Connections to Use SSL for a Cloud SQL Instance

Detect that the requirement for all incoming connections to use SSL for a Cloud SQL instance has been disabled.

cloud gcp gcp_sql FedRAMP FedRAMP_CM-3(1) FedRAMP_SC-7(4) HIPAA HIPAA_164.310(b) HITRUST_CSF HITRUST_CSF_01.j HITRUST_CSF_01.n HITRUST_CSF_01.y HITRUST_CSF_05.i HITRUST_CSF_09.s HITRUST_CSF_10.k cis_controls_13 cis_controls_14.4 cis_controls_16.5 cis_gcp_6.4
GCP Set a Public IP for a Cloud SQL Instance

Detect that a public IP address has been set for a Cloud SQL instance.

cloud gcp gcp_sql FedRAMP FedRAMP_SC-7(4) HITRUST_CSF HITRUST_CSF_01.n HITRUST_CSF_09.m cis_controls_13 cis_gcp_6.6

STORAGE BUCKETS

GCP Create Bucket

Detect creation of a bucket.

cloud gcp gcp_storage_buckets mitre_T1074-data-staged
GCP Delete Bucket

Detect deletion of a bucket.

cloud gcp gcp_storage_buckets
GCP List Buckets

Detect listing of all storage buckets.

cloud gcp gcp_storage_buckets mitre_TA0007-discovery mitre_T1083-file-and-directory-discovery
GCP List Bucket Objects

Detect listing of all objects in a bucket.

cloud gcp gcp_storage_buckets mitre_TA0007-discovery mitre_T1083-file-and-directory-discovery
GCP Put Bucket ACL

Detect setting the permissions on an existing bucket using access control lists.

cloud gcp gcp_storage_buckets FedRAMP FedRAMP_AC-6(1) FedRAMP_AC-6(2) FedRAMP_AC-6(3) ISO_27001 ISO_27001_A.9.1.2 HIPAA HIPAA_164.308(a) HIPAA_164.312(a) HITRUST_CSF HITRUST_CSF_01.c HITRUST_CSF_01.q HITRUST_CSF_06.j mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-host mitre_T1530-data-from-cloud-storage-object
GCP Set Bucket IAM Policy

Detect setting the permissions on an existing bucket using IAM policies.

cloud gcp gcp_storage_buckets FedRAMP FedRAMP_AC-6(1) FedRAMP_AC-6(2) FedRAMP_AC-6(3) ISO_27001 ISO_27001_A.9.1.2 HIPAA HIPAA_164.308(a) HIPAA_164.312(a) HITRUST_CSF HITRUST_CSF_01.c HITRUST_CSF_01.q HITRUST_CSF_06.j mitre_T1530-data-from-cloud-storage-object
GCP Update Bucket

Detect the update of a bucket.

cloud gcp gcp_storage_buckets

VM

GCP Enable Connecting to Serial Ports for a VM Instance

Detect enabling of connection to serial ports for a VM instance.

cloud gcp gcp_vm FedRAMP FedRAMP_CM-3(1) HITRUST_CSF HITRUST_CSF_10.k cis_controls_9.2 cis_gcp_4.5
GCP Creation of a VM Instance with IP Forwarding Enabled

Detect creating a VM instance with IP forwarding enabled.

cloud gcp gcp_vm cis_controls_11.1 cis_controls_11.2 cis_gcp_4.6
GCP Suspected Disable of OS Login in a VM Instance

Detect modification of the enable-oslogin metadata in an instance.

cloud gcp gcp_vm cis_controls_16 cis_gcp_4.4
GCP Enable Project-wide SSH keys for a VM Instance

Detect enabling of project-wide SSH keys for a VM instance.

cloud gcp gcp_vm HIPAA HIPAA_164.310(b) HITRUST_CSF HITRUST_CSF_01.j HITRUST_CSF_01.n HITRUST_CSF_01.y HITRUST_CSF_05.i HITRUST_CSF_09.s cis_controls_16 cis_gcp_4.3
GCP Shield Disabled for a VM Instance

Detect disabling of the Shielded VM parameter(s) of a VM instance.

cloud gcp gcp_vm cis_controls_13 cis_gcp_4.8

VPC

GCP Delete VPC Network

Detect the deletion of a VPC network.

cloud gcp gcp_vpc
GCP Delete VPC Subnetwork

Detect the deletion of a VPC subnetwork.

cloud gcp gcp_vpc

VPC NETWORKS

GCP Create a Default VPC Network

Detect creation of a default network in a project.

cloud gcp gcp_vpc_networks FedRAMP FedRAMP_CM-3(1) FedRAMP_SC-7(4) HITRUST_CSF HITRUST_CSF_01.n HITRUST_CSF_10.k cis_controls_11.1 cis_gcp_3.1
GCP Disable Subnet Flow Logs

Detect disabling the flow logs of a subnet.

cloud gcp gcp_vpc_networks soc2 soc2_CC6.6 FedRAMP FedRAMP_AU-12(1) FedRAMP_AU-3(1) FedRAMP_AU-9(2) FedRAMP_CM-3(1) ISO_27001 ISO_27001_A.16.1.7 ISO_27001_A.18.1.3 HIPAA HIPAA_164.312(b) HITRUST_CSF HITRUST_CSF_09.aa HITRUST_CSF_10.k cis_controls_6.2 cis_controls_12.8 cis_gcp_3.8

OTHER

GCP Delete Resources from the PCI Blueprint Environment

Detect the deletion of resources from the blueprint environment.

cloud gcp
GCP Command Executed on Unused Region

Detect GCP command execution on unused regions.

cloud gcp FedRAMP FedRAMP_AC-2(12) HIPAA HIPAA_164.308(a) HIPAA_164.312(a) mitre_T1526-cloud-service-discovery mitre_T1535-unused-unsupported-cloud-regions

3 - Azure

This section covers offering description
Check setup options, details, troubleshooting, and validation steps under Installations - Cloud - Azure

Available Features

  • Cloud Security Posture Management (CSPM): Based on CIS benchmarks tailored for your assets
  • Cloud Threat Detection: Identify threats in your Azure environment using Falco rules for Azure
  • Image Vulnerability Scanning: Automatic vulnerability scanning of images pushed to Azure Container Registry and images executed on Azure Container Instances

3.1 - Platformlogs Falco rules

Scroll Top DATABASE SERVICES 2rules FUNCTION APPS 5rules LOGGING AND MONITORING 1rules NETWORKING 2rules SQL SERVER 2rules STORAGE ACCOUNTS 11rules

Total 21 rules.

DATABASE SERVICES

Azure Auditing on SQL Server Has Been Disabled

The Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. Auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted. Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.

cloud azure azure_database_services azure_sql_server cis_azure_4.1.1 cis_controls_6.3
Azure Server Vulnerability Assessment on SQL Server Has Been Removed

Vulnerability Assessment setting 'Periodic recurring scans' schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Periodic and regular vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.

cloud azure azure_database_services azure_sql_server cis_azure_4.2.2 cis_azure_4.2.3 cis_controls_3.1

FUNCTION APPS

Azure Function App Deleted

A function app has been deleted.

cloud azure azure_function_apps
Azure Function App Deployment Slot Deleted

A function app deployment slot has been deleted.

cloud azure azure_function_apps
Azure Function App Host Key Deleted

A function app host key has been deleted.

cloud azure azure_function_apps
Azure Function App Host Master Key Modified

A function app host master key has been renewed.

cloud azure azure_function_apps
Azure Function Key Deleted

A function key has been deleted.

cloud azure azure_function_apps

LOGGING AND MONITORING

Azure Diagnostic Setting Has Been Disabled

A diagnostic setting controls how a diagnostic log is exported. By default, logs are retained only for 90 days. Diagnostic settings should be defined so that logs can be exported and stored for a longer duration in order to analyze security activities within an Azure subscription.

cloud azure azure_logging_and_monitoring cis_azure_5.1.1 cis_controls_6.5

NETWORKING

Azure RDP Access Is Allowed from The Internet

The potential security problem with using RDP over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure.

cloud azure azure_networking cis_azure_6.1 cis_controls_9.2
Azure SSH Access Is Allowed from The Internet

The potential security problem with using SSH over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure.

cloud azure azure_networking cis_azure_6.2 cis_controls_9.2

SQL SERVER

Azure Auditing on SQL Server Has Been Disabled

The Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. Auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted. Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.

cloud azure azure_database_services azure_sql_server cis_azure_4.1.1 cis_controls_6.3
Azure Server Vulnerability Assessment on SQL Server Has Been Removed

Vulnerability Assessment setting 'Periodic recurring scans' schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Periodic and regular vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.

cloud azure azure_database_services azure_sql_server cis_azure_4.2.2 cis_azure_4.2.3 cis_controls_3.1

STORAGE ACCOUNTS

Azure Access Level creation attempt for Blob Container Set to Public

Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on the storage account, it's recommended to set allowBlobPublicAccess false.

cloud azure azure_storage_accounts cis_azure_3.5 cis_controls_16
Creation attempt Azure Secure Transfer Required Set to Disabled

The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn't support HTTPS for custom domain names, this option is not applied when using a custom domain name.

cloud azure azure_storage_accounts cis_azure_3.5 cis_controls_16
Creation attempt Azure Default Network Access Rule for Storage Account Set to Allow

Storage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.

cloud azure azure_storage_accounts cis_azure_3.6 cis_controls_16
Azure Access Level for Blob Container Set to Public

Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. It grants read-only access to these resources without sharing the account key, and without requiring a shared access signature. It is recommended not to provide anonymous access to blob containers until, and unless, it is strongly desired. A shared access signature token should be used for providing controlled and timed access to blob containers. If no anonymous access is needed on the storage account, it's recommended to set allowBlobPublicAccess false.

cloud azure azure_storage_accounts cis_azure_3.5 cis_controls_16
Azure Default Network Access Rule for Storage Account Set to Allow

Storage accounts should be configured to deny access to traffic from all networks (including internet traffic). Access can be granted to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.

cloud azure azure_storage_accounts cis_azure_3.6 cis_controls_16
Azure Secure Transfer Required Set to Disabled

The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn't support HTTPS for custom domain names, this option is not applied when using a custom domain name.

cloud azure azure_storage_accounts cis_azure_3.1 cis_controls_14.4
Azure Blob Created

A blob has been created in a storage container.

cloud azure azure_storage_accounts
Azure Blob Deleted

A blob has been deleted from a storage container.

cloud azure azure_storage_accounts
Azure Container Created

A Container has been created.

cloud azure azure_storage_accounts
Azure Container Deleted

A Container has been deleted.

cloud azure azure_storage_accounts
Azure Container ACL Modified

A container ACL has been modified.

cloud azure azure_storage_accounts