diff --git a/rule-packs/index.js b/rule-packs/index.js index 4740a13..353d3d8 100644 --- a/rule-packs/index.js +++ b/rule-packs/index.js @@ -17,3 +17,4 @@ module.exports.ArmisEndpointSecurity = require("./armis-endpoint-security.json") module.exports.TrellixEndpointSecurity = require("./trellix-endpoint-security.json"); module.exports.CyberarkEPMMisconfigurations = require("./cyberark-epm-misconfigurations.json"); module.exports.CyberarkIdaptiveMisconfigurations = require("./cyberark-idaptive-misconfigurations.json"); +module.exports.KnownMaliciousSoftwareVersions = require("./known-malicious-software-versions.json"); diff --git a/rule-packs/known-malicious-software-versions.json b/rule-packs/known-malicious-software-versions.json new file mode 100644 index 0000000..fd42f0a --- /dev/null +++ b/rule-packs/known-malicious-software-versions.json @@ -0,0 +1,98 @@ + [ + { + "name": "aws-ssm-xz-5.6.0", + "description": "This query will return iterations of XZ version 5.6.1 via aws ssm.", + "queries": [ + { + "name": "query0", + "query": "FIND aws_instance_inventory WITH applicationInventory ~= 'xz-utils_5.6.0'", + "version": "v1" + } + ], + "alertLevel": "CRITICAL" + }, + { + "name": "critical-assets-xz-5.6.0", + "description": "This query will notify on potentially affected critical assets that have vulnerable XZ version 5.6.0 installed", + "queries": [ + { + "name": "query0", + "query": "FIND #CriticalAsset THAT HAS >> aws_instance_inventory WITH applicationInventory ~= 'xz-utils_5.6.0'", + "version": "v1" + } + ], + "alertLevel": "CRITICAL" + }, + { + "name": "network-devices-xz-5.6.0", + "description": "This query will return potentially affected network devices with vulnerable XZ version 5.6.0 installed", + "queries": [ + { + "name": "query0", + "query": "FIND Internet THAT RELATES TO aws_security_group AS sg THAT RELATES TO aws_instance AS i THAT HAS >> aws_instance_inventory WITH applicationInventory ~= 'xz-utils_5.6.0' RETURN i.displayName AS 'EC2', sg.displayName AS 'Security Group'", + "version": "v1" + } + ], + "alertLevel": "CRITICAL" + }, + { + "name": "aws-ssm-xz-5.6.1", + "description": "This query will return iterations of XZ version 5.6.1 via aws ssm.", + "queries": [ + { + "name": "query0", + "query": "FIND aws_instance_inventory WITH applicationInventory ~= 'xz-utils_5.6.1'", + "version": "v1" + } + ], + "alertLevel": "CRITICAL" + }, + { + "name": "critical-assets-xz-5.6.1", + "description": "This query will notify on potentially affected critical assets that have vulnerable XZ version 5.6.1 installed", + "queries": [ + { + "name": "query0", + "query": "FIND #CriticalAsset THAT HAS >> aws_instance_inventory WITH applicationInventory ~= 'xz-utils_5.6.1'", + "version": "v1" + } + ], + "alertLevel": "CRITICAL" + }, + { + "name": "network-devices-xz-5.6.1", + "description": "This query will return potentially affected network devices with vulnerable XZ version 5.6.1 installed", + "queries": [ + { + "name": "query0", + "query": "FIND Internet THAT RELATES TO aws_security_group AS sg THAT RELATES TO aws_instance AS i THAT HAS >> aws_instance_inventory WITH applicationInventory ~= 'xz-utils_5.6.1' RETURN i.displayName AS 'EC2', sg.displayName AS 'Security Group'", + "version": "v1" + } + ], + "alertLevel": "CRITICAL" + }, + { + "name": "devices-xz-5.6.0-5.6.1", + "description": "This query will return potentially affected devices with vulnerable XZ version installed", + "queries": [ + { + "name": "query0", + "query": "FIND (Host|Device) THAT RELATES TO aws_instance_inventory WITH applicationInventory ~= ('xz-utils_5.6.0' OR 'xz-utils_5.6.1')", + "version": "v1" + } + ], + "alertLevel": "HIGH" + }, + { + "name": "general-xz-queries", + "description": "This query will query all installed versions of XZ in your environment", + "queries": [ + { + "name": "query0", + "query": "FIND aws_instance_inventory WITH applicationInventory ~= 'xz-utils'", + "version": "v1" + } + ], + "alertLevel": "INFO" + } + ]