Merge pull request Azure#9487 from Azure/v-sudkharat/Repackaging-Mult…

…i-Cloud-Attack-Coverage-Essentials-–-Resource-Abuse Updating solution name to - Multi Cloud Attack Coverage Essentials - Resource Abuse
tanium · Nov 27, 2023 · 9df689e · 9df689e
2 parents 9c633d3 + 47725c9
commit 9df689e
Show file tree

Hide file tree

Showing 16 changed files with 323 additions and 314 deletions.
diff --git a/...tOnAzurePortalAndAWSConsolAtSameTime.yaml → ...tOnAzurePortalAndAWSConsolAtSameTime.yaml b/...tOnAzurePortalAndAWSConsolAtSameTime.yaml → ...tOnAzurePortalAndAWSConsolAtSameTime.yaml
diff --git a/...spiciousComputeResourcecreationinGCP.yaml → ...spiciousComputeResourcecreationinGCP.yaml b/...spiciousComputeResourcecreationinGCP.yaml → ...spiciousComputeResourcecreationinGCP.yaml
diff --git a/...sUserActivityObservedInGCPEnvourment.yaml → ...sUserActivityObservedInGCPEnvourment.yaml b/...sUserActivityObservedInGCPEnvourment.yaml → ...sUserActivityObservedInGCPEnvourment.yaml
diff --git a/...authorizedCredentialsAccessDetection.yaml → ...authorizedCredentialsAccessDetection.yaml b/...authorizedCredentialsAccessDetection.yaml → ...authorizedCredentialsAccessDetection.yaml
diff --git a/...dressObservedConductingPasswordSpray.yaml → ...dressObservedConductingPasswordSpray.yaml b/...dressObservedConductingPasswordSpray.yaml → ...dressObservedConductingPasswordSpray.yaml
diff --git a/...SConsolLoginByCredentialAceessAlerts.yaml → ...SConsolLoginByCredentialAceessAlerts.yaml b/...SConsolLoginByCredentialAceessAlerts.yaml → ...SConsolLoginByCredentialAceessAlerts.yaml
diff --git a/...zed_user_access_across_AWS_and_Azure.yaml → ...zed_user_access_across_AWS_and_Azure.yaml b/...zed_user_access_across_AWS_and_Azure.yaml → ...zed_user_access_across_AWS_and_Azure.yaml
diff --git a/...Analytic Rules/UserImpersonateByAAID.yaml → ...Analytic Rules/UserImpersonateByAAID.yaml b/...Analytic Rules/UserImpersonateByAAID.yaml → ...Analytic Rules/UserImpersonateByAAID.yaml
diff --git a/...tic Rules/UserImpersonateByRiskyUser.yaml → ...tic Rules/UserImpersonateByRiskyUser.yaml b/...tic Rules/UserImpersonateByRiskyUser.yaml → ...tic Rules/UserImpersonateByRiskyUser.yaml
diff --git a/...tackCoverageEssentials-ResourceAbuse.json → ...Coverage Essentials - Resource Abuse.json b/...tackCoverageEssentials-ResourceAbuse.json → ...Coverage Essentials - Resource Abuse.json
@@ -1,5 +1,5 @@
 {
-  "Name": "Multi Cloud Attack Coverage Essentials-Resource Abuse",
+  "Name": "Multi Cloud Attack Coverage Essentials - Resource Abuse",
   "Author": "Microsoft - [email protected]",
   "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
   "Description": "The rise of Multi Cloud Resource Abuse attacks poses a significant threat to the security and integrity of cloud infrastructures. These attacks target the vulnerabilities within AWS, GCP, and Azure cloud environments, aiming to exploit misconfigurations, weak access controls, or compromised credentials to gain unauthorized access, manipulate resources, and extract valuable data across diverse cloud platforms. The Multi Cloud Resource Abuse Attack Solution is designed to fortify the detection and prevention measures against such malicious activities. By integrating detection capabilities across AWS, GCP, and Azure cloud infrastructures, this solution offers a set of detection strategies across various cloud platforms, including AWS, GCP, and Azure, aiming to identify abnormal activities, unauthorized access attempts, resource misuse, and data exfiltration. The solution encompasses log monitoring, anomaly detection, and behaviour analysis to detect and respond to potential breaches or abuses. This solution extends its coverage to include a wide array of cloud-based services such as AWS IAM, Azure AD, GCP IAM, storage services, and more, ensuring a comprehensive approach to identifying, mitigating, and responding to potential threats.\n\n **Pre-requisites:**\n\n This is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Cv-sudkharat%40microsoft.com%7C8ec0502d0fb449debbc108dbe9849194%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638360527889561785%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=XyqFj%2FfDBffyAPs4haVuOLs0g3vFY6jt%2B8pe%2F9gk0%2B0%3D&reserved=0) and does not include any data connectors. To achieve the most robust protection against Multi Cloud Resource Abuse, it is recommended to deploy this solution in conjunction with complementary tools and solutions across the cloud platforms. Install one or more of the listed solutions to unlock the value provided by this solution. \n\n[Microsoft Defender XDR](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)\n\n [Microsoft Entra ID](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-azureactivedirectoryazure-sentinel-solution-azureactivedirectory)\r\r\n[Amazon Web Services](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices)\n\n[Google Cloud Platform IAM](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-gcpiamazure-sentinel-solution-gcpiam)\n\n \n\n[Google Cloud Platform Audit Logs](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-gcpauditlogs-apiazure-sentinel-solution-gcpauditlogs-api) \n\nThis content covers all stages of the attack chain from an initial resource access attack vector, establishing persistence to an environment, locating and executing malicious activity from data stores, and then perpetrating and hiding their activity. This range of content complements the coverage Microsoft 365 Defender provides across Microsoft Defender products: https://learn.microsoft.com/microsoft-365/security/defender/automatic-attack-disruption\n\n**Keywords:** Multi-cloud, Cross-cloud, AWS, GCP, GuardDuty, AWS GuardDuty, GCP Security, Security Console, Cloud abuse, Resource Abuse",
@@ -15,7 +15,7 @@
     "Analytic Rules/UserImpersonateByRiskyUser.yaml"
   ],
   "Metadata": "SolutionMetadata.json",
-  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Multi Cloud Attack Coverage Essentials-Resource Abuse",
+  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Multi Cloud Attack Coverage Essentials - Resource Abuse",
   "Version": "3.0.0",
   "TemplateSpec": true,
   "Is1PConnector": false,

diff --git a/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Package/3.0.0.zip b/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Package/3.0.0.zip
diff --git a/...rce Abuse/Package/createUiDefinition.json → ...rce Abuse/Package/createUiDefinition.json b/...rce Abuse/Package/createUiDefinition.json → ...rce Abuse/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Multi%20Cloud%20Attack%20Coverage%20Essentials-Resource%20Abuse/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe rise of Multi Cloud Resource Abuse attacks poses a significant threat to the security and integrity of cloud infrastructures. These attacks target the vulnerabilities within AWS, GCP, and Azure cloud environments, aiming to exploit misconfigurations, weak access controls, or compromised credentials to gain unauthorized access, manipulate resources, and extract valuable data across diverse cloud platforms. The Multi Cloud Resource Abuse Attack Solution is designed to fortify the detection and prevention measures against such malicious activities. By integrating detection capabilities across AWS, GCP, and Azure cloud infrastructures, this solution offers a set of detection strategies across various cloud platforms, including AWS, GCP, and Azure, aiming to identify abnormal activities, unauthorized access attempts, resource misuse, and data exfiltration. The solution encompasses log monitoring, anomaly detection, and behaviour analysis to detect and respond to potential breaches or abuses. This solution extends its coverage to include a wide array of cloud-based services such as AWS IAM, Azure AD, GCP IAM, storage services, and more, ensuring a comprehensive approach to identifying, mitigating, and responding to potential threats.\n\n **Pre-requisites:**\n\n This is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Cv-sudkharat%40microsoft.com%7C8ec0502d0fb449debbc108dbe9849194%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638360527889561785%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=XyqFj%2FfDBffyAPs4haVuOLs0g3vFY6jt%2B8pe%2F9gk0%2B0%3D&reserved=0) and does not include any data connectors. To achieve the most robust protection against Multi Cloud Resource Abuse, it is recommended to deploy this solution in conjunction with complementary tools and solutions across the cloud platforms. Install one or more of the listed solutions to unlock the value provided by this solution. \n\n[Microsoft Defender XDR](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)\n\n [Microsoft Entra ID](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-azureactivedirectoryazure-sentinel-solution-azureactivedirectory)\r\r\n[Amazon Web Services](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices)\n\n[Google Cloud Platform IAM](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-gcpiamazure-sentinel-solution-gcpiam)\n\n \n\n[Google Cloud Platform Audit Logs](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-gcpauditlogs-apiazure-sentinel-solution-gcpauditlogs-api) \n\nThis content covers all stages of the attack chain from an initial resource access attack vector, establishing persistence to an environment, locating and executing malicious activity from data stores, and then perpetrating and hiding their activity. This range of content complements the coverage Microsoft 365 Defender provides across Microsoft Defender products: https://learn.microsoft.com/microsoft-365/security/defender/automatic-attack-disruption\n\n**Keywords:** Multi-cloud, Cross-cloud, AWS, GCP, GuardDuty, AWS GuardDuty, GCP Security, Security Console, Cloud abuse, Resource Abuse\n\n**Analytic Rules:** 9\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Multi%20Cloud%20Attack%20Coverage%20Essentials%20-%20Resource%20Abuse/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe rise of Multi Cloud Resource Abuse attacks poses a significant threat to the security and integrity of cloud infrastructures. These attacks target the vulnerabilities within AWS, GCP, and Azure cloud environments, aiming to exploit misconfigurations, weak access controls, or compromised credentials to gain unauthorized access, manipulate resources, and extract valuable data across diverse cloud platforms. The Multi Cloud Resource Abuse Attack Solution is designed to fortify the detection and prevention measures against such malicious activities. By integrating detection capabilities across AWS, GCP, and Azure cloud infrastructures, this solution offers a set of detection strategies across various cloud platforms, including AWS, GCP, and Azure, aiming to identify abnormal activities, unauthorized access attempts, resource misuse, and data exfiltration. The solution encompasses log monitoring, anomaly detection, and behaviour analysis to detect and respond to potential breaches or abuses. This solution extends its coverage to include a wide array of cloud-based services such as AWS IAM, Azure AD, GCP IAM, storage services, and more, ensuring a comprehensive approach to identifying, mitigating, and responding to potential threats.\n\n **Pre-requisites:**\n\n This is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Cv-sudkharat%40microsoft.com%7C8ec0502d0fb449debbc108dbe9849194%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638360527889561785%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=XyqFj%2FfDBffyAPs4haVuOLs0g3vFY6jt%2B8pe%2F9gk0%2B0%3D&reserved=0) and does not include any data connectors. To achieve the most robust protection against Multi Cloud Resource Abuse, it is recommended to deploy this solution in conjunction with complementary tools and solutions across the cloud platforms. Install one or more of the listed solutions to unlock the value provided by this solution. \n\n[Microsoft Defender XDR](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)\n\n [Microsoft Entra ID](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-azureactivedirectoryazure-sentinel-solution-azureactivedirectory)\r\r\n[Amazon Web Services](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices)\n\n[Google Cloud Platform IAM](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-gcpiamazure-sentinel-solution-gcpiam)\n\n \n\n[Google Cloud Platform Audit Logs](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-gcpauditlogs-apiazure-sentinel-solution-gcpauditlogs-api) \n\nThis content covers all stages of the attack chain from an initial resource access attack vector, establishing persistence to an environment, locating and executing malicious activity from data stores, and then perpetrating and hiding their activity. This range of content complements the coverage Microsoft 365 Defender provides across Microsoft Defender products: https://learn.microsoft.com/microsoft-365/security/defender/automatic-attack-disruption\n\n**Keywords:** Multi-cloud, Cross-cloud, AWS, GCP, GuardDuty, AWS GuardDuty, GCP Security, Security Console, Cloud abuse, Resource Abuse\n\n**Analytic Rules:** 9\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",