Create known-malicious-software-versions

rule-packs/index.js

@@ -17,3 +17,4 @@ module.exports.ArmisEndpointSecurity = require("./armis-endpoint-security.json")
 module.exports.TrellixEndpointSecurity = require("./trellix-endpoint-security.json");
 module.exports.CyberarkEPMMisconfigurations = require("./cyberark-epm-misconfigurations.json");
 module.exports.CyberarkIdaptiveMisconfigurations = require("./cyberark-idaptive-misconfigurations.json");
+module.exports.KnownMaliciousSoftwareVersions = require("./known-malicious-software-versions.json");

rule-packs/known-malicious-software-versions.json

@@ -0,0 +1,98 @@
+  [
+    {
+      "name": "aws-ssm-xz-5.6.0",
+      "description": "This query will return iterations of XZ version 5.6.1 via aws ssm.",
+      "queries": [
+        {
+          "name": "query0",
+          "query": "FIND aws_instance_inventory WITH applicationInventory ~= 'xz-utils_5.6.0'",
+          "version": "v1"
+        }
+      ],
+      "alertLevel": "CRITICAL"
+    },
+    {
+      "name": "critical-assets-xz-5.6.0",
+      "description": "This query will notify on potentially affected critical assets that have vulnerable XZ version 5.6.0 installed",
+      "queries": [
+        {
+          "name": "query0",
+          "query": "FIND #CriticalAsset THAT HAS >> aws_instance_inventory WITH applicationInventory ~= 'xz-utils_5.6.0'",
+          "version": "v1"
+        }
+      ],
+      "alertLevel": "CRITICAL"
+    },  
+    {
+      "name": "network-devices-xz-5.6.0",
+      "description": "This query will return potentially affected network devices with vulnerable XZ version 5.6.0 installed",
+      "queries": [
+        {
+          "name": "query0",
+          "query": "FIND Internet THAT RELATES TO aws_security_group AS sg THAT RELATES TO aws_instance AS i THAT HAS >> aws_instance_inventory WITH applicationInventory ~= 'xz-utils_5.6.0' RETURN i.displayName AS 'EC2', sg.displayName AS 'Security Group'",
+          "version": "v1"
+        }
+      ],
+      "alertLevel": "CRITICAL"
+    },
+    {
+      "name": "aws-ssm-xz-5.6.1",
+      "description": "This query will return iterations of XZ version 5.6.1 via aws ssm.",
+      "queries": [
+        {
+          "name": "query0",
+          "query": "FIND aws_instance_inventory WITH applicationInventory ~= 'xz-utils_5.6.1'",
+          "version": "v1"
+        }
+      ],
+      "alertLevel": "CRITICAL"
+    },
+    {
+      "name": "critical-assets-xz-5.6.1",
+      "description": "This query will notify on potentially affected critical assets that have vulnerable XZ version 5.6.1 installed",
+      "queries": [
+        {
+          "name": "query0",
+          "query": "FIND #CriticalAsset THAT HAS >> aws_instance_inventory WITH applicationInventory ~= 'xz-utils_5.6.1'",
+          "version": "v1"
+        }
+      ],
+      "alertLevel": "CRITICAL"
+    },
+    {
+      "name": "network-devices-xz-5.6.1",
+      "description": "This query will return potentially affected network devices with vulnerable XZ version 5.6.1 installed",
+      "queries": [
+        {
+          "name": "query0",
+          "query": "FIND Internet THAT RELATES TO aws_security_group AS sg THAT RELATES TO aws_instance AS i THAT HAS >> aws_instance_inventory WITH applicationInventory ~= 'xz-utils_5.6.1' RETURN i.displayName AS 'EC2', sg.displayName AS 'Security Group'",
+          "version": "v1"
+        }
+      ],
+      "alertLevel": "CRITICAL"
+    },
+    {
+      "name": "devices-xz-5.6.0-5.6.1",
+      "description": "This query will return potentially affected devices with vulnerable XZ version installed",
+      "queries": [
+        {
+          "name": "query0",
+          "query": "FIND (Host|Device) THAT RELATES TO aws_instance_inventory WITH applicationInventory ~= ('xz-utils_5.6.0' OR 'xz-utils_5.6.1')",
+          "version": "v1"
+        }
+      ],
+      "alertLevel": "HIGH"
+    },
+    {
+      "name": "general-xz-queries",
+      "description": "This query will query all installed versions of XZ in your environment",
+      "queries": [
+        {
+          "name": "query0",
+          "query": "FIND aws_instance_inventory WITH applicationInventory ~= 'xz-utils'",
+          "version": "v1"
+        }
+      ],
+      "alertLevel": "INFO"
+    }
+  ]