OOTB Rules

Datadog provides out-of-the-box (OOTB) detection rules to flag attacker techniques and potential misconfigurations so you can immediately take steps to remediate. Datadog continuously develops new default rules, which are automatically imported into your account, your Application Security Management library, and the Agent, depending on your configuration.

Beta detection rules

Datadog’s Security Research team continually adds new OOTB security detection rules. While the aim is to deliver high quality detections with the release of integrations or other new features, the performance of the detection at scale often needs to be observed before making the rule generally available. This gives Datadog’s Security Research the time to either refine or deprecate detection opportunities that do not meet our standards.

Click the following buttons to filter the detection rules. Security detection rules are available for Application Security Management, Cloud SIEM (log detection and signal correlation), CSM Misconfigurations (cloud and infrastructure), CSM Threats, and CSM Identity Risks.

すべてAPPLICATION SECURITYCLOUD SIEM (LOG DETECTION)CLOUD SIEM (SIGNAL CORRELATION)CSM IDENTITY RISKSCSM MISCONFIGURATIONS (CLOUD)CSM MISCONFIGURATIONS (INFRA)CSM SECURITY ISSUESCSM THREATS

>

The Kubernetes API server secure port should be enabled

1password

>

1Password activity observed from Tor client IP
1Password service account token activity observed
1Password vault export attempt by user
Anomalous amount of failed sign-in attempts by 1Password user
Attempt to exfiltrate a 1Password item by user
Attempt to modify a 1Password item by user
Impossible travel event observed from 1Password user
Unusual 1Password device authorization activity
Unusual 1Password item usage action observed from user

ACM

>

Certificate managed by ACM should be renewed within 30 days of expiration
Certificate managed by ACM should be renewed within 7 days
Certificate managed by ACM should not be expired
Certificates managed by ACM should be validated

Amazon Fsx

>

AWS FSx Excessive File Denied

Amazon Vpc

>

VPC flow logging should be enabled in all VPCs

Apache

>

Apache HTTP requests from security scanner

Application Security

>

API scan detected on service
Attack Tool
Bruteforce attack
Cassandra injection vulnerability triggered
Commercial vulnerability scanner
CQL injections attempts
Credential Stuffing attack
Excessive account deletion from an IP
Excessive payment failures from IP
Java code injections attempts
JWT authentication bypass attempt
Local File Inclusion (LFI) attack attempts
Log4shell RCE attempts - CVE-2021-44228
Log4shell vulnerability triggered (RCE) - CVE-2021-44228
Mongo injections attempts
OGNL injection attack attempts on routes parsing OGNL
Password reset token bruteforce
Rate limit SDK sensitive activity from IP
Rate limited WAF sensitive activity from IP
Reflected XSS attempts on routes returning HTML
Resource enumeration detected
Security scanner detected
Shell injection attempt detected
Spring4shell RCE attempts - CVE-2022-22963
SQL injection vulnerability triggered
SQL injections attempts
SSRF attempts on routes executing network queries
SSRF vulnerability triggered
Unauthenticated activity detected
Unauthorized activity detected
Unusual account creations from an IP
Unusual password reset rate activity
User activity detected from outside authorized countries
User activity detected from unauthorized countries
User activity from Tor
User enumeration through password reset

Auth0

>

Anomalous number of Auth0 Attack Protection events
Auth0 breached password detection disabled
Auth0 brute-force protection disabled
Auth0 Guardian MFA push notifications rejected by user
Auth0 Guardian MFA push notifications rejected by user followed by successful login
Auth0 suspicious IP throttling disabled
Auth0 tenant invitation sent to user
Auth0 user logged in with a breached password
Brute force attack on an Auth0 user
Credential stuffing attack on Auth0
Impossible Travel Auth0 login

AWS

>

AWS Verified Access anomalous failed authentication attempts by host
AWS Verified Access anomalous failed authentication attempts by IP
AWS Verified Access anomalous failed authentication attempts by user
Brute forced ConsoleLogin event correlates with an assumed role event
ConsoleLogin event correlates privileged policy applying to a role
Impossible travel event leads to permission enumeration

AWS Logging Log Metric

>

A metric filter and alarm should be established for route table changes
A metric filter and alarm should be established for security group changes
A metric filter and alarm should be established for VPC changes
A metric filter and alarm should exist for AWS Config configuration changes
A metric filter and alarm should exist for AWS organizations changes
A metric filter and alarm should exist for CloudTrail changes
A metric filter and alarm should exist for console authentication failures
A metric filter and alarm should exist for console logins without MFA
A metric filter and alarm should exist for disabling or deletion of customer created CMKs
A metric filter and alarm should exist for IAM policy changes
A metric filter and alarm should exist for NACL changes
A metric filter and alarm should exist for root login attempts
A metric filter and alarm should exist for S3 bucket policy changes
A metric filter and alarm should exist for unauthorized API calls
There should exist a log metric filter and alarm for network gateway changes

Azure

>

Azure Active Directory risky sign-in
Azure AD brute force login
Azure AD Identity Protection risky user
Azure AD Login Without MFA
Azure AD member assigned built-in Administrator role
Azure AD member assigned Global Administrator role
Azure AD possible MFA fatigue attack
Azure AD possible MFA fatigue attack followed by successful login
Azure AD Privileged Identity Management member assigned
Azure AD sign in from AADinternals default user agent
Azure AD sign in from AzureHound default user agent
Azure Datadog Log Forwarder Deleted
Azure diagnostic setting deleted or disabled
Azure disk export URI created
Azure Firewall Threat Intelligence Alert
Azure Frontdoor WAF Blocked a Request
Azure Frontdoor WAF Logged a Request
Azure Login Explicitly Denied MFA
Azure Network Security Group Open to the World
Azure Network Security Groups or Rules Created, Modified, or Deleted
Azure new owner added for service principal
Azure New Owner added to Azure Active Directory application
Azure New Service Principal created
Azure Policy Assignment Created
Azure Service Principal was assigned a role
Azure snapshot export URI created
Azure SQL Server Firewall Rules Created or Modified
Azure user invited an external user
Azure user ran command on container instance
Azure user viewed CosmosDB access keys
Azure user viewed CosmosDB connection string
Brute-forced user has assigned a role
Credential added to Azure AD application
Credential added to rarely used Azure AD application
Credential Stuffing Attack on Azure
Microsoft 365 - Modification of Trusted Domain
Potential Illicit Consent Grant attack via Azure registered application
Tor client IP address identified within Azure environment
User ran a command on Azure Compute

Azure.active Directory

>

Azure subscription custom administrator roles should be disabled

Azure.activity Log

>

'Create or Update Network Security Group' activity log alert should be configured
'Create or Update Public Ip Address' activity log alert should be configured
'Create or Update Security Solutions' activity log alert should be configured
'Create or Update SQL Server Firewall Rule' activity log alert should be configured
'Create Policy Assignment' activity log alert should be configured
'Delete Network Security Group' activity log alert should be configured
'Delete Policy Assignment' activity log alert should be configured
'Delete Public Ip Address Rule' activity log alert should be configured
'Delete Security Solution' activity log alert should be configured
'Delete SQL Server Firewall Rule' activity log alert should be configured
Account should have a activity log alert configured for 'Create or Update Network Security Group'
Account should have a activity log alert configured for 'Delete Load Balancer'
Account should have a activity log alert configured for 'Delete Storage Accounts'
Account should have a activity log alert configured for creating or updating storage accounts
Account should have a activity log alert configured for creating or updating virtual machines
Account should have a activity log alert configured for deallocating virtual machines
Account should have a configured activity log alert for 'Delete Key Vault'
Account should have a configured activity log alert for 'Delete MySQL Database'
Account should have a configured activity log alert for 'Delete PostgreSQL Database'
Account should have a configured activity log alert for 'Rename Azure SQL Database'
Account should have a configured activity log alert for 'Update Key Vault'
Account should have a configured activity log alert for 'Update Security Policy'
Account should have a configured activity log alert for deleting Network Security Group
Account should have a configured activity log alert for deleting policy assignments
Account should have a configured activity log alert for deleting the SQL Server firewall rule
Account should have a configured activity log alert for deleting VMs
Account should have a configured activity log alert for load balancer updates
Account should have a configured activity log alert for mysql database updates
Account should have a configured activity log alert for PostgreSQL database updates
Account should have a configured activity log alert for power off events
Account should have a configured activity log alert for security solutions creation or updates
Account should have a configured activity log alert for sql database updates
The account should have a configured activity log alert for firewall rule creation or update
The user should configure an activity log alert for SQL Database deletion
User should have a 'Create Policy Assignment' activity log alert configured
User should have a 'Delete Security Solution' activity log alert configured

Azure.app Service

>

The Azure App Service should be enabled with 'always on'

Azure.appservice

>

App Service should use the latest version of TLS encryption
Azure App Service should have authentication enabled
Azure App Service should have remote debugging disabled
Azure should use the latest HTTP version available
Azure should use the latest Java version available
Azure should use the latest Python version available
FTP deployments should be disabled
Incoming client certificates should be required to be 'On'
The app service should enable registration with Azure Active Directory
The web app should redirect all HTTP traffic to HTTPS

Azure.compute

>

'OS and Data' disks should be encrypted with Customer Managed Key (CMK)
'Unattached disks' should be encrypted with Customer Managed Key (CMK)
Publicly accessible Azure VM connected to known attack domain
Publicly accessible Azure VM has privileged role and password-based SSH authentication
Publicly Accessible Azure VM instance has a critical vulnerability
Publicly accessible Azure VM performed cryptomining operations
Publicly accessible Azure VM performing SSH scanning
Publicly accessible Azure VM uses password-based SSH authentication
Virtual machines in Azure should use SSH authentication keys for security
Virtual Machines should utilize Azure Managed Disks

Azure.dbformysql

>

SSL connection on MySQL Database Server should be enabled

Azure.dbforpostgresql

>

Access to Azure services for PostgreSQL Database Server should be disabled
Infrastructure double encryption for PostgreSQL Database Server should be enabled
Server parameter 'connection_throttling' should be enabled for PostgreSQL Database Server
Server parameter 'log_checkpoints' should be enabled for PostgreSQL Database Server
Server parameter 'log_connections' should be enabled for PostgreSQL Database Server
Server parameter 'log_disconnections' should be enabled for PostgreSQL Database Server
Server parameter 'log_retention_days' should be greater than 3 days for PostgreSQL Database Server
SSL connection on PostgreSQL Database Server should be enabled
The Azure PostgreSQL database server should use geo-redundant backups
The Azure PostgreSQL Database Server should use the current major version
The server should have the 'log_duration' parameter set to 'ON'

Azure.keyvault

>

All keys in non-RBAC Azure Key Vaults should have an expiration time set
All keys in RBAC Azure Key Vault should have an expiration time set
All secrets in Non-RBAC Azure Key Vault should have an expiration time set
All secrets in RBAC Azure Key Vault should have an expiration time set
Azure Key Vault should be recoverable

Azure.kubernetes

>

BETA AKS Cluster should have public access limited
BETA AKS cluster should use a network policy between nodes
BETA AKS Kubelet configuration file ownership should be assigned to root
BETA An AKS Cluster's kubelet configuration file ownership should be assigned to root
BETA An AKS Cluster's Kubelet configuration file should disable anonymous requests
BETA An AKS Cluster's kubelet configuration file should have permissions set to 644 or more restrictive
BETA An AKS Cluster's Kubelet should be allowed to manage iptables
BETA An AKS Cluster's Kubelet should have the eventRecordQPS entry set
BETA An AKS Cluster's Kubelet should not allow hostname overrides
BETA An AKS Cluster's Kubelet should only allow explicitly authorized requests
BETA An AKS Cluster's Kubelet should rotate client certificates automatically
BETA An AKS Cluster's Kubelet should rotate server certificates automatically
BETA An AKS Cluster's Kubelet's read-only port should be disabled
BETA An AKS's Kubelet should use TLS authentication
BETA The AKS kubeconfig file should have permissions set to 644 or more restrictive
BETA The Private Cluster feature for AKS should be enabled
BETA Timeouts for streaming connections in an AKS worker node should be enabled

Azure.monitor

>

Diagnostic Setting should capture appropriate categories

Azure.network

>

The network security group should allow specific port rules

Azure.networkwatcher

>

Network Security Group Flow Log retention period should be 'greater than 90 days'

Azure.security

>

Azure should be configured to send email notifications about security alerts with High severity
Azure should be configured with a security contact email
Azure should send security alert emails to subscription owners
PostgreSQL Database ingress traffic should be restricted to specified IP addresses
Security Group should restrict HTTP(S) access from the internet
Security Group should restrict RDP access from the internet
Security Group should restrict SSH access from the internet
Security Group should restrict UDP access from the internet
SQL Databases should only allow ingress traffic from specific IP addresses

Azure.sql

>

Audit data for Azure SQL Server should be retained for greater than 90 days
Auditing on SQL Server should be enabled
Azure Active Directory Admin should be configured for Azure SQL
Data encryption for SQL Database Server should be enabled
Microsoft Defender for SQL Server should be on for critical SQL Servers
Periodic recurring vulnerability assessment scans should be enabled on SQL servers
SQL Server Vulnerability Assessments should send scan reports to subscribed admins
SQL server's Transparent Data Encryption (TDE) protector should be encrypted with a customer-managed key
Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' should be set for SQL servers
Vulnerability Assessment should be enabled for SQL server

Azure.storage

>

'Blob public access' should be disabled for storage accounts with blob containers
'Trusted Microsoft Services' should be enabled for Storage Account access
Azure Storage should have soft delete enabled
Blob Containers anonymous access should be restricted
Blob Service storage logging should be enabled for 'Read', 'Write', and 'Delete' requests
Secure transfer required should be enabled
Storage account containing the blob container with activity logs should be encrypted with Customer Managed Key
Storage containers storing activity logs should only be accessible by authorized personnel
Storage for critical data should be encrypted with Customer Managed Key
Table Service storage logging should be enabled for 'Read', 'Write', and 'Delete' requests
The default network access rule for Storage Accounts should be set to deny

Azure.storage Account

>

Private Endpoints should be used to access Storage Accounts

Cloud Workload Security

>

AppArmor profile modified
Auditd configuration modified
Compiler executed in container
Compiler wrote suspicious file
Container accessed using kubectl in another container
Container breakout attempt using Docker socket
Container breakout using runc file descriptors
Container management utility in container
Cryptocurrency miner attempted to boost CPU performance
Database process spawned shell
Dirty Pipe exploitation attempted
DNS lookup for cryptocurrency mining pool
DNS lookup for IP lookup service
DNS lookup for paste service
Executable bit added to newly created file
Exfiltration attempt via network utility
File created and executed inside container
Hash of known malware detected
Interactive shell spawned in container
Java process spawned shell
Kubernetes DNS enumeration
Kubernetes service account token created in container
Local account password modified
Looney Tunables (CVE-2023-4911) exploited for privilege escalation
Memfd object created
Network scanning utility executed
Network utility accessed risky cloud metadata service
Network utility executed
Network utility executed in container
Network utility executed with suspicious URI
Offensive Kubernetes tool executed
Package installed in container
Process arguments match cryptocurrency miner
Process hidden using mount
Process injected into another process
PTRACE_TRACEME used to prevent process debugging
Pwnkit privilege escalation attempt
Python executed with suspicious arguments
RC scripts modified
Recently written or modified suid file has been executed
Redis sandbox escape (CVE-2022-0543)
Redis server wrote suspicious module file
Resource enumerated using kubectl in container
Resource provisioned using kubectl in container
Runc binary modified
Sensitive namespace modified using kubectl
Shell command history modified
Sudoers policy file modified
Suspected dynamic linker hijacking attempt
Unfamiliar command spawned from web server
Unfamiliar kernel module loaded
Unfamiliar kernel module loaded from memory
Unfamiliar process accessed AWS EKS service account token
Unfamiliar process accessed Kubernetes pod service account token
User created interactively

Cloudflare

>

Cloudflare CASB Finding
Cloudflare L7 DDOS detected
Impossible travel scenario observed in Cloudflare logs

Cloudfront

>

AWS CloudFront distribution should be integrated with WAF
AWS CloudFront distribution should have a security policy of TLS v1.1 or greater
AWS CloudFront distribution should have logging enabled
AWS CloudFront field-level encryption should be enabled
Cloudfront distribution should be encrypted
CloudFront viewer should be encrypted

Cloudtrail

>

A user received an anomalous number of AccessDenied errors
Amazon EC2 AMI exfiltration attempt by IAM user
Amazon S3 bucket policy modified
Amazon SES enumeration attempt by previously unseen user
Amazon SES modification attempt
Amazon SNS enumeration attempt by previously unseen user
Amazon SNS enumeration in multiple regions using a long-term access key
An AWS account attempted to leave the AWS Organization
An AWS S3 bucket lifecycle expiration policy was set to disabled
An AWS S3 bucket lifecycle policy expiration is set to < 90 days
An AWS S3 bucket mfaDelete is disabled
An EC2 instance attempted to enumerate S3 bucket
Anomalous amount of access denied events for AWS EC2 Instance
Anomalous amount of Autoscaling Group events
Anomalous API Gateway API key reads by user
Anomalous number of assumed roles from user
Anomalous number of S3 buckets accessed
Anomalous number of secrets retrieved from AWS Secrets Manager
Anomalous S3 bucket activity from user ARN
Attempt to create Xlarge EC2 instances in multiple AWS regions
AWS access key creation by previously unseen identity
AWS AMI Made Public
AWS CloudTrail configuration modified
AWS CloudTrail trail should have global service events enabled
AWS CloudWatch log group deleted
AWS CloudWatch rule disabled or deleted
AWS Config modified
AWS console login without MFA
AWS ConsoleLogin with MFA triggered Impossible Travel scenario
AWS ConsoleLogin without MFA triggered Impossible Travel scenario
AWS Detective Graph deleted
AWS Disable Cloudtrail with event selectors
AWS EBS default encryption disabled
AWS EBS Snapshot Made Public
AWS EBS Snapshot possible exfiltration
AWS EC2 new event for application
AWS EC2 new event for EKS Node Group
AWS EC2 subnet deleted
AWS ECS cluster deleted
AWS ECS CreateCluster API calls in multiple regions
AWS EventBridge rule disabled or deleted
AWS GuardDuty detector deleted
AWS GuardDuty publishing destination deleted
AWS GuardDuty threat intel set deleted
AWS IAM activity by S3 browser utility
AWS IAM activity from EC2 instance
AWS IAM AdministratorAccess policy was applied to a group
AWS IAM AdministratorAccess policy was applied to a role
AWS IAM AdministratorAccess policy was applied to a user
AWS IAM policy modified
AWS IAM Roles Anywhere trust anchor created
AWS IAM User created with AdministratorAccess policy attached
AWS Java_Ghost security group creation attempt
AWS Kinesis Firehose stream destination modified
AWS KMS key deleted or scheduled for deletion
AWS Lambda function modified by IAM user
AWS Lambda function resource-based policy modified by IAM user
AWS Network Access Control List created or modified
AWS Network Gateway created or modified
AWS principal added to multiple EKS clusters
AWS principal assigned administrative privileges in an EKS cluster
AWS principal granted access to a EKS cluster then removed
AWS RDS Cluster deleted
AWS root account activity
AWS Route 53 DNS query logging disabled
AWS Route 53 VPC disassociated from query logging configuration
AWS Route Table created or modified
AWS S3 Bucket ACL made public
AWS S3 Public Access Block removed
AWS security group created, modified or deleted
AWS Security Hub disabled
AWS VPC created or modified
AWS VPC Flow Log deleted
AWS WAF traffic blocked by specific rule
AWS WAF traffic blocked by specific rule on multiple IPs
AWS WAF web access control list deleted
AWS WAF web access control list modified
CloudTrail log file validation should be enabled
CloudTrail logs S3 bucket should not be public accessible
CloudTrail logs should be encrypted at rest using KMS CMKs
Cloudtrail SecretsManager secret retrieved from AWS CloudShell environment
CloudTrail trails should be integrated with CloudWatch Logs
Compromised AWS EC2 Instance
Compromised AWS IAM User Access Key
Encrypted administrator password retrieved for Windows EC2 instance
New Amazon EC2 Instance type
New AWS account seen assuming a role into AWS account
New Private Repository Container Image detected in AWS ECR
New Public Repository Container Image detected in AWS ECR
New user seen executing a command in an ECS task
Object-level logging should be enabled for S3 bucket read events
Possible AWS EC2 privilege escalation via the modification of user data
Possible privilege escalation via AWS login profile manipulation
Possible RDS Snapshot exfiltration
Potential administrative port open to the world via AWS security group
Potential brute force attack on AWS ConsoleLogin
Potential database port open to the world via AWS security group
S3 bucket access logging should be enabled on the CloudTrail S3 bucket
S3 bucket write events should have object-level logging enabled
Security group open to the world
Temporary AWS security credentials generated for user
The AWS managed policy AWSCompromisedKeyQuarantineV2 has been attached
There should be at least one multi-region CloudTrail trail per AWS account
Tor client IP address identified within AWS environment
TruffleHog user agent observed in AWS
Unfamiliar IAM user retrieved a decrypted AWS Systems Manager parameter
Unfamiliar IAM user retrieved secret from AWS Secrets Manager
Unfamiliar IAM user retrieved SSM parameter
Unusual AWS enumeration event from EC2 instance
User enumerated AWS Secrets Manager - Anomaly
User enumerated AWS Systems Manager parameters - Anomaly
User travel was impossible in AWS CloudTrail IAM log

Crowdstrike

>

Crowdstrike Alerts

EBS

>

EBS snapshot should be encrypted
EBS volume should be encrypted
EBS volume snapshot should not be publicly shared

EC2

>

Amazon Machine Image (AMI) should only be available to trusted accounts
EC2 instance should not have a highly-privileged IAM role attached to it
EC2 instances should enforce IMDSv2
Inbound CIFS access should be restricted
Inbound DNS access should be restricted
Inbound FTP access should be restricted
Inbound HTTP access should be restricted
Inbound HTTPS access should be restricted
Inbound ICMP access to the host should be restricted
Inbound MongoDB access should be restricted
Inbound MSSQL access should be restricted
Inbound OpenSearch access should be restricted
Inbound Oracle access should be restricted
Inbound RPC access should be restricted
Inbound SMTP access should be restricted
Inbound TCP NetBIOS access should be restricted
Inbound Telnet access should be restricted
Inbound UDP NetBIOS access should be restricted
MySQL inbound access should be restricted
Outbound access on all ports should be restricted
PostgreSQL inbound access should be restricted
Publicly accessible EC2 instance connected to known attack domain
Publicly Accessible EC2 instance has a critical vulnerability
Publicly accessible EC2 instance performed cryptomining operations
Publicly accessible EC2 instance performing SSH scanning
Publicly accessible EC2 instance should not have open administrative ports
Publicly accessible EC2 instance uses IMDSv1
Publicly accessible EC2 instances should not have highly-privileged IAM roles
Security groups should restrict ingress traffic to specified IPv4 addresses
Security groups should restrict ingress traffic to specified IPv6 addresses
The default security group should restrict all traffic in a VPC

ECR

>

BETA Amazon ECR should be scanning all images for vulnerabilities

EKS

>

BETA An EKS Cluster's kubelet configuration file ownership should be assigned to root
BETA An EKS Cluster's Kubelet configuration file should disable anonymous requests
BETA An EKS Cluster's kubelet configuration file should have permissions set to 644 or more restrictive
BETA An EKS Cluster's Kubelet should be allowed to manage iptables
BETA An EKS Cluster's Kubelet should have the eventRecordQPS entry set
BETA An EKS Cluster's Kubelet should not allow hostname overrides
BETA An EKS Cluster's Kubelet should only allow explicitly authorized requests
BETA An EKS Cluster's Kubelet should rotate client certificates automatically
BETA An EKS Cluster's Kubelet should rotate server certificates automatically
BETA An EKS Cluster's Kubelet's read-only port should be disabled
BETA An EKS's Kubelet should use TLS authentication
BETA EKS Cluster should have private endpoint enabled
BETA EKS Cluster should have public access limited
BETA EKS cluster should use a network policy between nodes
BETA Kubelet configuration file ownership should be assigned to root
BETA The kubeconfig file should have permissions set to 644 or more restrictive
BETA Timeouts for streaming connections in an EKS worker node should be enabled

Elasticache

>

ElastiCache clusters should be provisioned in a VPC
ElastiCache clusters should use a non-default port for communication
ElastiCache clusters should use the latest engine version available

Elasticsearch

>

Elasticsearch clusters should use the latest engine version
Elasticsearch domain should enable encryption
Elasticsearch domain should only be accessible from an AWS VPC
Elasticsearch domains should be encrypted with KMS Customer Master Keys
The Elasticsearch domain should block unsigned requests over the public internet

ELB

>

A logging setup should be created for AWS Elastic Load Balancers
AWS ELB HTTP requests from security scanner
Classic Load Balancer listener should use a secure configuration

Elbv2

>

Access logging should be enabled for Application Load Balancers
ELBv2 ALB communication should use HTTPS
ELBv2 load balancer should use the latest security policy

Fastly

>

Fastly HTTP Requests from Security Scanner

File Integrity Monitoring

>

Credentials file modified
Critical system binary modified
Cron job modified
Kernel module directory modified
Name Service Switch configuration modified
Redis modified cron job directory to execute commands
SELinux enforcement disabled
SSH authorized keys modified
SSL certificate tampering
System authentication files modified
Systemd service modified

GCP

>

Access denied for Google Cloud Service Account
Anomalous number of Google Cloud Compute GPU virtual machines created
Anomalous number of Google Cloud Storage Buckets Accessed
Anomalous number of Google Cloud Storage Objects Accessed
Anomalous number of Google Compute Engine instances created in multiple zones by user
Attempt to add SSH key to Google Compute Engine project metadata by a previously unseen user
Google App Engine service account used outside of Google Cloud
Google Cloud BigQuery - query results saved to cloud storage
Google Cloud BigQuery - query results saved to new table
Google Cloud BigQuery results saved to cloud storage by a previously unseen user
Google Cloud Compute Engine GPU virtual machine instance created
Google Cloud GCE instance startup script added or modified
Google Cloud IAM policy modified
Google Cloud IAM role created
Google Cloud IAM Role updated
Google Cloud Logging Bucket deleted
Google Cloud logging sink modified
Google Cloud Project external principal added as project owner
Google Cloud Pub/Sub Subscriber modified
Google Cloud Pub/Sub topic deleted
Google Cloud Service Account accessing anomalous number of Google Cloud APIs
Google Cloud Service Account created
Google Cloud Service Account Impersonation activity using access token generation
Google Cloud Service Account Impersonation using GCPloit Exploitation Framework
Google Cloud Service Account key created
Google Cloud SQL database modified
Google Cloud SQL instance data exported to cloud storage
Google Cloud SQL instance data exported to cloud storage by a previously unseen user
Google Cloud Storage Bucket contents downloaded without authentication
Google Cloud Storage Bucket enumerated
Google Cloud Storage Bucket modified
Google Cloud Storage Bucket permissions modified
Google Cloud unauthorized service account activity
Google Cloud unauthorized user activity
Google Compute Engine firewall egress rule opened to the world
Google Compute Engine firewall rule modified
Google Compute Engine image created
Google Compute Engine instance metadata SSH key added or modified
Google Compute Engine instances created in multiple zones by user
Google Compute Engine network created
Google Compute Engine network route created or modified
Google Compute Engine project metadata SSH key added or modified
Google Compute Engine service account used outside of Google Cloud
Potential Google Cloud cryptomining attack from Tor IP
Tor client IP address identified within Google Cloud environment

Github Telemetry

>

GitHub a branch protection requirement was overridden by a repository administrator
GitHub Advanced Security
GitHub anomalous number of repositories cloned by user
GitHub audit log streaming endpoint was deleted
GitHub branch protection disabled on branch
GitHub Dependabot
GitHub enterprise owner added
GitHub IP allow list
GitHub MFA requirement disabled
GitHub OAuth application access restrictions disabled
GitHub organization was removed from enterprise
GitHub organization was transferred between enterprise accounts
GitHub payment method removed
GitHub Personal Access Token created by suspicious IP
GitHub repository transfer
GitHub SAML/OIDC has been disabled
GitHub Secret Scanning disabled or bypassed
GitHub SSH certificate authority deleted
GitHub SSH certificate requirement disabled
GitHub SSH key added by suspicious IP
GitHub user blocked from accessing organization repositories

Google Bigquery Dataset

>

BigQuery data sets should specify a default customer-managed encryption key
BigQuery Dataset should not be publicly accessible

Google Bigquery Table

>

BigQuery tables should be encrypted with customer-managed encryption keys (CMEK)

Google Cloud Asset Inventory

>

Cloud Asset Inventory should be enabled

Google Cloud SQL Instance

>

SQL database instances should only use private IP addresses

Google Compute Disk

>

VM disks for critical VMs should be encrypted with customer-supplied encryption keys

Google Compute Firewall

>

RDP access should be restricted from the internet
SSH access should be restricted from the internet

Google Compute Instance

>

Compute instances should be launched with Shielded VM enabled
Compute instances should have confidential computing enabled
Compute instances should only have internal IP addresses
Instances should be configured to use a non-default service account with restricted API access
Instances should have IP forwarding disabled
Instances should use a non-default service account
Instances should use instance-specific SSH keys instead of project-wide keys
Projects should have OS Login enabled for SSH authentication
Publicly accessible GCP compute instance connected to known attack domain
Publicly accessible GCP compute instance performed cryptomining operations
Publicly accessible GCP compute instance performing SSH scanning
Publicly accessible Google Compute instance has a critical severity vulnerability
Publicly accessible Google Compute instance uses a privileged service account
Serial port connection for VM instances should be disabled

Google Compute Network

>

Projects should not have legacy networks configured for older projects
Projects should only use non-default VPC networks

Google Compute Ssl Policy

>

HTTPS proxy load balancers should only permit strong cipher suites
SSL proxy load balancers should only permit strong cipher suites

Google Compute Subnetwork

>

VPC Flow Logs should be enabled for all VPC subnets

Google Dataproc Cluster

>

Dataproc cluster should be encrypted using customer-managed encryption key

Google DNS Managed Zone

>

Cloud DNS DNSSEC should use a secure algorithm other than RSASHA1
Cloud DNS DNSSEC should use a zone-signing key with a secure algorithm other than RSASHA1
Cloud DNS should have DNSSEC enabled

Google DNS Policy

>

Cloud DNS logging should be enabled for VPC networks

Google Iam Policy

>

Cloud Audit Logging should be configured to track admin activity and data access
Cloud Storage bucket access should be restricted to authorized users
KMS roles assigned to users should utilize 'Separation of Duties'

Google Kms Crypto Key

>

KMS encryption keys should be rotated every 90 days or less

Google Logging Log Bucket

>

Retention policies should be configured using bucket lock on log buckets

Google Logging Log Metric

>

A log metric filter and alert should exist for audit configuration changes
A log metric filter and alert should exist for cloud storage bucket IAM changes
A log metric filter and alert should exist for custom role changes
A log metric filter and alert should exist for project ownership assignments/changes
A log metric filter and alert should exist for SQL instance configuration changes
A log metric filter and alert should exist for VPC firewall rule changes
A log metric filter and alert should exist for VPC network changes
A log metric filter and alert should exist for VPC network route changes

Google Logging Log Sink

>

Log entries should have log sinks configured for exporting

Google Service Account

>

Cloud KMS cryptokeys should restrict anonymous and/or public access
Service accounts should keep the 'Service Account Admin' and 'Service Account User' roles separate
Service accounts should only be bound to non-administrative roles
Service accounts should only use GCP-managed keys
Service accounts should rotate user-managed or external keys every 90 days or less
Users should be assigned the 'Service Account User' or 'Service Account Token Creator' roles at the Service Account level

Google SQL Database Instance

>

MySQL instance should have the 'skip_show_database' flag set to 'on'
MySQL instances should have the 'local_infile' database flag set to 'off'
PostgreSQL instance should have the 'log_disconnections' database flag enabled
PostgreSQL instances should have the 'log_connections' database flag set to 'on'
PostgreSQL instances should have the 'log_error_verbosity' flag set to 'DEFAULT' or stricter
PostgreSQL instances should have the 'log_hostname' database flag set to 'on'
PostgreSQL instances should have the 'log_min_messages' database flag set to at least 'WARNING'
PostgreSQL instances should have the 'log_statement' database flag set appropriately
PostgreSQL instances should have the `log_min_duration_statement` flag set to '-1' (disabled)
PostgreSQL instances should have the `log_min_error_statement` flag set to 'ERROR' or stricter
SQL database instances should enforce SSL for all incoming connections
SQL database instances should have automated backups enabled
SQL Database instances should only allow ingress traffic from specific IP addresses
SQL Server instances should have the 'contained database authentication' database flag set to 'off'
SQL Server instances should have the 'cross db ownership chaining' database flag set to 'off'
SQL Server instances should have the 'external scripts enabled' database flag set to 'off'
SQL Server instances should have the 'remote access' database flag set to 'off'
SQL Server instances should have the 'user connections' database flag set to a non-limiting value
SQL Server instances should have the `3625 (trace flag)` database flag set to 'off'
SQL Server instances should have the `user options` database flag disabled

Google Storage Bucket

>

Cloud storage buckets should have uniform bucket-level access enabled

Google.security.command.center

>

Google Security Command Center

Google.workspace.alert.center

>

Google Workspace Alert Center

Gsuite

>

Domain added to Google Workspace allowlisted domains
Google Workspace accessed by Google
Google Workspace admin role created
Google Workspace administrator has disabled 2-step verification for organizational unit
Google Workspace administrator initiated a data transfer request
Google Workspace Tor client detected
Google Workspace user assigned administrative role
Google Workspace user assigned super administrative role
Google Workspace user disabled 2-step verification
Google Workspace user edited account recovery information
Google Workspace user forwarding email out of non Google Workspace domain
Google Workspace user has unenrolled from Advanced Protection
Large amount of downloads on Google Drive
User attempted login with leaked password

Guardduty

>

AWS GuardDuty finding

Host Benchmarks

>

A remote time server for Chrony is configured
Add grpquota Option to /home
Add nodev Option to /dev/shm
Add nodev Option to /home
Add nodev Option to /tmp
Add nodev Option to /var
Add nodev Option to /var/log
Add nodev Option to /var/log/audit
Add nodev Option to /var/tmp
Add nodev Option to Removable Media Partitions
Add noexec Option to /dev/shm
Add noexec Option to /tmp
Add noexec Option to /var
Add noexec Option to /var/log
Add noexec Option to /var/log/audit
Add noexec Option to /var/tmp
Add noexec Option to Removable Media Partitions
Add nosuid Option to /dev/shm
Add nosuid Option to /home
Add nosuid Option to /tmp
Add nosuid Option to /var
Add nosuid Option to /var/log
Add nosuid Option to /var/log/audit
Add nosuid Option to /var/tmp
Add nosuid Option to Removable Media Partitions
Add usrquota Option to /home
All AppArmor Profiles are in enforce or complain mode
All GIDs referenced in /etc/passwd must be defined in /etc/group
All Interactive User Home Directories Must Be Group-Owned By The Primary Group
All Interactive User Home Directories Must Be Owned By The Primary User
All Interactive User Home Directories Must Have mode 0750 Or Less Permissive
All Interactive Users Home Directories Must Exist
Audit Configuration Files Must Be Owned By Group root
Audit Configuration Files Must Be Owned By Root
Build and Test AIDE Database
Configure Accepting Router Advertisements on All IPv6 Interfaces
Configure AIDE to Verify the Audit Tools
Configure auditd admin_space_left Action on Low Disk Space
Configure auditd mail_acct Action on Low Disk Space
Configure auditd Max Log File Size
Configure auditd max_log_file_action Upon Reaching Maximum Log Size
Configure auditd Number of Logs Retained
Configure auditd space_left Action on Low Disk Space
Configure auditd to use audispd's syslog plugin
Configure BIND to use System Crypto Policy
Configure Firewalld to Restrict Loopback Traffic
Configure Firewalld to Trust Loopback Traffic
Configure Kerberos to use System Crypto Policy
Configure Kernel Parameter for Accepting Secure Redirects By Default
Configure Libreswan to use System Crypto Policy
Configure ntpd To Run As ntp User
Configure OpenSSL library to use System Crypto Policy
Configure Periodic Execution of AIDE
Configure SELinux Policy
Configure server restrictions for ntpd
Configure SSH to use System Crypto Policy
Configure System Cryptography Policy
Deactivate Wireless Network Interfaces
Direct root Logins Not Allowed
Disable Accepting ICMP Redirects for All IPv4 Interfaces
Disable Accepting ICMP Redirects for All IPv6 Interfaces
Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
Disable Apache Qpid (qpidd)
Disable Apport Service
Disable At Service (atd)
Disable Automatic Bug Reporting Tool (abrtd)
Disable Avahi Server Software
Disable core dump backtraces
Disable Core Dumps for All Users
Disable Core Dumps for SUID programs
Disable GNOME3 Automount Opening
Disable GNOME3 Automount running
Disable GNOME3 Automounting
Disable graphical user interface
Disable Host-Based Authentication
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
Disable Kernel Parameter for IPv6 Forwarding
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
Disable Kernel Support for USB via Bootloader Configuration
Disable Modprobe Loading of USB Storage Driver
Disable Mounting of cramfs
Disable Mounting of freevxfs
Disable Mounting of hfs
Disable Mounting of hfsplus
Disable Mounting of jffs2
Disable Mounting of squashfs
Disable Mounting of udf
Disable Network File System (nfs)
Disable Network Router Discovery Daemon (rdisc)
Disable ntpdate Service (ntpdate)
Disable Odd Job Daemon (oddjobd)
Disable Postfix Network Listening
Disable rpcbind Service
Disable SSH Access via Empty Passwords
Disable SSH Root Login
Disable SSH Support for .rhosts Files
Disable storing core dump
Disable systemd-journal-remote Socket
Disable the Automounter
Disable the CUPS Service
Disable the GNOME3 Login User List
Disable XDMCP in GDM
Do Not Allow SSH Environment Options
Enable auditd Service
Enable Auditing for Processes Which Start Prior to the Audit Daemon
Enable authselect
Enable cron Daemon
Enable cron Service
Enable GNOME3 Login Warning Banner
Enable GNOME3 Screensaver Lock After Idle Period
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default
Enable NX or XD Support in the BIOS
Enable PAM
Enable Randomized Layout of Virtual Address Space
Enable rsyslog Service
Enable SSH Warning Banner
Enable systemd_timesyncd Service
Enable systemd-journald Service
Enable the NTP Daemon
Enable the NTP Daemon (al2023)
Enable the NTP Service
Enforce usage of pam_wheel for su authentication
Enforce Usage of pam_wheel with Group Parameter for su Authentication
Ensure /dev/shm is configured
Ensure /tmp Located On Separate Partition
Ensure /var/log Located On Separate Partition
Ensure /var/log/audit Located On Separate Partition
Ensure a Table Exists for Nftables
Ensure All Accounts on the System Have Unique Names
Ensure All Accounts on the System Have Unique User IDs
Ensure All Files Are Owned by a Group
Ensure All Files Are Owned by a User
Ensure All Groups on the System Have Unique Group ID
Ensure All Groups on the System Have Unique Group Names
Ensure All SGID Executables Are Authorized
Ensure All SUID Executables Are Authorized
Ensure all users last password change date is in the past
Ensure AppArmor is enabled in the bootloader configuration
Ensure AppArmor is installed
Ensure auditd Collects File Deletion Events by User
Ensure auditd Collects Information on Exporting to Media (successful)
Ensure auditd Collects Information on Kernel Module Loading and Unloading
Ensure auditd Collects Information on the Use of Privileged Commands
Ensure auditd Collects System Administrator Actions
Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)
Ensure Authentication Required for Single User Mode
Ensure Base Chains Exist for Nftables
Ensure gpgcheck Enabled for All yum Package Repositories
Ensure gpgcheck Enabled In Main yum Configuration
Ensure ip6tables Firewall Rules Exist for All Open Ports
Ensure iptables Firewall Rules Exist for All Open Ports
Ensure journald is configured to compress large log files
Ensure journald is configured to send logs to rsyslog
Ensure journald is configured to write log files to persistent disk
Ensure LDAP client is not installed
Ensure Log Files Are Owned By Appropriate Group
Ensure Log Files Are Owned By Appropriate User
Ensure Logs Sent To Remote Host
Ensure Mail Transfer Agent is not Listening on any non-loopback Address
Ensure network interfaces are assigned to appropriate zone
Ensure nftables Default Deny Firewall Policy
Ensure nftables Rules are Permanent
Ensure No Daemons are Unconfined by SELinux
Ensure No World-Writable Files Exist
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
Ensure PAM Displays Last Logon/Access Notification
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
Ensure PAM Enforces Password Requirements - Minimum Different Categories
Ensure PAM Enforces Password Requirements - Minimum Digit Characters
Ensure PAM Enforces Password Requirements - Minimum Length
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
Ensure PAM Enforces Password Requirements - Minimum Special Characters
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
Ensure rsyslog Default File Permissions Configured
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
Ensure rsyslog is Installed
Ensure SELinux is Not Disabled
Ensure SELinux Not Disabled in /etc/default/grub
Ensure SELinux State is Enforcing
Ensure shadow Group is Empty
Ensure Software Patches Installed
Ensure SSH LoginGraceTime is configured
Ensure SSH MaxStartups is configured
Ensure Sudo Logfile Exists - sudo logfile
Ensure System Log Files Have Correct Permissions
Ensure that /etc/at.deny does not exist
Ensure that /etc/cron.deny does not exist
Ensure that chronyd is running under chrony user account
Ensure that Root's Path Does Not Include Relative Paths or Null Directories
Ensure that Root's Path Does Not Include World or Group-Writable Directories
Ensure that System Accounts Are Locked
Ensure that System Accounts Do Not Run a Shell Upon Login
Ensure the Default Bash Umask is Set Correctly
Ensure the Default C Shell Umask is Set Correctly
Ensure the Default Umask is Set Correctly For Interactive Users
Ensure the Default Umask is Set Correctly in /etc/profile
Ensure the Default Umask is Set Correctly in login.defs
Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty
Ensure There Are No Accounts With Blank or Null Passwords
Ensure ufw Default Deny Firewall Policy
Ensure ufw Firewall Rules Exist for All Open Ports
Ensure Users Cannot Change GNOME3 Screensaver Settings
Ensure Users Cannot Change GNOME3 Session Idle Settings
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
Ensure users' .netrc Files are not group or world accessible
Install AIDE
Install firewalld Package
Install iptables Package
Install iptables-persistent Package
Install libselinux Package
Install nftables Package
Install PAE Kernel on Supported 32-bit x86 Systems
Install pam_pwquality Package
Install sudo Package
Install systemd-journal-remote Package
Install the systemd_timesyncd Service
Install ufw Package
Limit Password Reuse
Limit Password Reuse (ubuntu2204)
Limit Password Reuse: password-auth
Limit Password Reuse: system-auth
Limit Users' SSH Access
Lock Accounts After Failed Password Attempts
Make sure that the dconf databases are up-to-date with regards to respective keyfiles
Make the auditd Configuration Immutable
Modify the System Login Banner
Modify the System Login Banner for Remote Connections
Modify the System Message of the Day Banner
Package "prelink" Must not be Installed
Prevent Login to Accounts With Empty Password
Record Attempts to Alter Logon and Logout Events
Record Attempts to Alter Process and Session Initiation Information
Record Attempts to Alter the localtime File
Record attempts to alter time through adjtimex
Record Attempts to Alter Time Through clock_settime
Record attempts to alter time through settimeofday
Record Attempts to Alter Time Through stime
Record Events that Modify the System's Discretionary Access Controls - chmod
Record Events that Modify the System's Discretionary Access Controls - chown
Record Events that Modify the System's Discretionary Access Controls - fchmod
Record Events that Modify the System's Discretionary Access Controls - fchmodat
Record Events that Modify the System's Discretionary Access Controls - fchown
Record Events that Modify the System's Discretionary Access Controls - fchownat
Record Events that Modify the System's Discretionary Access Controls - fremovexattr
Record Events that Modify the System's Discretionary Access Controls - fsetxattr
Record Events that Modify the System's Discretionary Access Controls - lchown
Record Events that Modify the System's Discretionary Access Controls - lremovexattr
Record Events that Modify the System's Discretionary Access Controls - lsetxattr
Record Events that Modify the System's Discretionary Access Controls - removexattr
Record Events that Modify the System's Discretionary Access Controls - setxattr
Record Events that Modify the System's Mandatory Access Controls
Record Events that Modify the System's Network Environment
Record Events that Modify User/Group Information
Remove ftp Package
Remove iptables-persistent Package
Remove iptables-services Package
Remove NIS Client
Remove Rsh Trust Files
Remove telnet Clients
Remove tftp Daemon
Remove the GDM Package Group
Remove the X Windows Package Group
Remove ufw Package
Require Authentication for Emergency Systemd Target
Require Authentication for Single User Mode
Require Re-Authentication When Using the sudo Command
Restrict Serial Port Root Logins
Restrict Virtual Console Root Logins
Set Account Expiration Following Inactivity
Set configuration for IPv6 loopback traffic
Set configuration for loopback traffic
Set Default firewalld Zone for Incoming Packets
Set Default ip6tables Policy for Incoming Packets
Set Default iptables Policy for Incoming Packets
Set Deny For Failed Password Attempts
Set existing passwords a period of inactivity before they been locked
Set Existing Passwords Maximum Age
Set Existing Passwords Minimum Age
Set Existing Passwords Warning Age
Set GNOME3 Screensaver Inactivity Timeout
Set GNOME3 Screensaver Lock Delay After Activation Period
Set Interactive Session Timeout
Set Interval For Counting Failed Password Attempts
Set Lockout Time for Failed Password Attempts
Set LogLevel to INFO
Set nftables Configuration for Loopback Traffic
Set PAM''s Password Hashing Algorithm
Set PAM''s Password Hashing Algorithm - password-auth
Set Password Hashing Algorithm in /etc/login.defs
Set Password Maximum Age
Set Password Minimum Age
Set Password Minimum Length in login.defs
Set Password Warning Age
Set SSH authentication attempt limit
Set SSH Client Alive Count Max
Set SSH Client Alive Interval
Set SSH Daemon LogLevel to VERBOSE
Set SSH MaxSessions limit
Set the GNOME3 Login Warning Banner Text
Set UFW Loopback Traffic
Specify a Remote NTP Server
Specify a Remote NTP Server (al2023)
System Audit Logs Must Be Group Owned By Root
System Audit Logs Must Be Owned By Root
System Audit Logs Must Be Owned By Root (al2023)
System Audit Logs Must Have Mode 0640 or Less Permissive
System Audit Logs Must Have Mode 0750 or Less Permissive
The Chrony package is installed
The Chronyd service is enabled
Uninstall avahi Server Package
Uninstall avahi-autoipd Server Package
Uninstall bind Package
Uninstall CUPS Package
Uninstall cyrus-imapd Package
Uninstall DHCP Server Package
Uninstall dnsmasq Package
Uninstall dovecot Package
Uninstall httpd Package
Uninstall mcstrans Package
Uninstall net-snmp Package
Uninstall nfs-kernel-server Package
Uninstall nfs-utils Package
Uninstall nftables package
Uninstall nginx Package
Uninstall openldap-servers Package
Uninstall rpcbind Package
Uninstall rsh Package
Uninstall rsync Package
Uninstall Samba Package
Uninstall setroubleshoot Package
Uninstall squid Package
Uninstall talk Package
Uninstall telnet-server Package
Uninstall tftp-server Package
Uninstall the nis package
Uninstall vsftpd Package
Uninstall xinetd Package
Uninstall ypserv Package
Use Only FIPS 140-2 Validated Ciphers
Use Only FIPS 140-2 Validated MACs
Use Only Strong Ciphers
Use Only Strong Key Exchange algorithms
Use Only Strong MACs
User Initialization Files Must Be Group-Owned By The Primary Group
User Initialization Files Must Be Owned By the Primary User
User Initialization Files Must Not Run World-Writable Programs
Verify /boot/efi/EFI/redhat/user.cfg Group Ownership
Verify /boot/efi/EFI/redhat/user.cfg Permissions
Verify /boot/efi/EFI/redhat/user.cfg User Ownership
Verify /boot/grub/grub.cfg Permissions
Verify /boot/grub/grub.cfg User Ownership
Verify /boot/grub2/grub.cfg Group Ownership
Verify /boot/grub2/user.cfg Group Ownership
Verify /boot/grub2/user.cfg Permissions
Verify /boot/grub2/user.cfg User Ownership
Verify All Account Password Hashes are Shadowed
Verify All Account Password Hashes are Shadowed with SHA512
Verify and Correct File Permissions with RPM
Verify File Hashes with RPM
Verify firewalld Enabled
Verify Group Ownership of Message of the Day Banner
Verify Group Ownership of System Login Banner
Verify Group Ownership of System Login Banner for Remote Connections
Verify Group Ownership on SSH Server Private *_key Key Files
Verify Group Ownership on SSH Server Public *.pub Key Files
Verify Group Who Owns /etc/at.allow file
Verify Group Who Owns /etc/cron.allow file
Verify Group Who Owns Backup group File
Verify Group Who Owns Backup gshadow File
Verify Group Who Owns Backup passwd File
Verify Group Who Owns Backup shadow File
Verify Group Who Owns cron.d
Verify Group Who Owns cron.daily
Verify Group Who Owns cron.hourly
Verify Group Who Owns cron.monthly
Verify Group Who Owns cron.weekly
Verify Group Who Owns Crontab
Verify Group Who Owns group File
Verify Group Who Owns gshadow File
Verify Group Who Owns passwd File
Verify Group Who Owns shadow File
Verify Group Who Owns SSH Server config file
Verify nftables Service is Disabled
Verify nftables Service is Enabled
Verify No .forward Files Exist
Verify No netrc Files Exist
Verify Only Root Has UID 0
Verify Owner on cron.d
Verify Owner on cron.daily
Verify Owner on cron.hourly
Verify Owner on cron.monthly
Verify Owner on cron.weekly
Verify Owner on crontab
Verify Owner on SSH Server config file
Verify ownership of Message of the Day Banner
Verify ownership of System Login Banner
Verify ownership of System Login Banner for Remote Connections
Verify Ownership on SSH Server Private *_key Key Files
Verify Ownership on SSH Server Public *.pub Key Files
Verify permissions of log files
Verify Permissions on /etc/at.allow file
Verify Permissions on /etc/audit/auditd.conf
Verify Permissions on /etc/audit/rules.d/*.rules
Verify Permissions on /etc/cron.allow file
Verify Permissions on Backup group File
Verify Permissions on Backup gshadow File
Verify Permissions on Backup passwd File
Verify Permissions on Backup shadow File
Verify Permissions on cron.d
Verify Permissions on cron.daily
Verify Permissions on cron.hourly
Verify Permissions on cron.monthly
Verify Permissions on cron.weekly
Verify Permissions on crontab
Verify Permissions on group File
Verify Permissions on gshadow File
Verify permissions on Message of the Day Banner
Verify Permissions on passwd File
Verify Permissions on shadow File
Verify Permissions on SSH Server config file
Verify Permissions on SSH Server Private *_key Key Files
Verify Permissions on SSH Server Public *.pub Key Files
Verify permissions on System Login Banner
Verify permissions on System Login Banner for Remote Connections
Verify Root Has A Primary GID 0
Verify that All World-Writable Directories Have Sticky Bits Set
Verify that audit tools are owned by group root
Verify that audit tools are owned by root
Verify that audit tools Have Mode 0755 or less
Verify that Shared Library Files Have Restrictive Permissions
Verify that Shared Library Files Have Root Ownership
Verify that System Executables Have Restrictive Permissions
Verify that System Executables Have Root Ownership
Verify the UEFI Boot Loader grub.cfg Group Ownership
Verify the UEFI Boot Loader grub.cfg Permissions
Verify the UEFI Boot Loader grub.cfg User Ownership
Verify ufw Enabled
Verify User Who Owns /etc/at.allow file
Verify User Who Owns /etc/cron.allow file
Verify User Who Owns Backup group File
Verify User Who Owns Backup gshadow File
Verify User Who Owns Backup passwd File
Verify User Who Owns Backup shadow File
Verify User Who Owns group File
Verify User Who Owns gshadow File
Verify User Who Owns passwd File
Verify User Who Owns shadow File

IAM

>

Access keys should be created after initial setup for IAM users
Access keys should be rotated every 90 days or less
An IAM privileged user should not have admin permissions in AWS
An IAM role should be created to manage incidents with AWS Support
AWS Cognito identity pool has guest access configured for a role with administrative privileges
AWS EC2 instance can assume a role with administrative privileges
AWS EC2 instance can create a login profile for an IAM user with administrative privileges
AWS EC2 instance can create access keys for an IAM user with administrative privileges
AWS EC2 instance can update a login profile for an IAM user with administrative privileges
AWS EC2 instance can update the trust policy for a role with administrative privileges
AWS EC2 instance has administrative privileges
AWS IAM group can assume a role with administrative privileges
AWS IAM group can create a login profile for an IAM user with administrative privileges
AWS IAM group can create access keys for an IAM user with administrative privileges
AWS IAM group can update a login profile for an IAM user with administrative privileges
AWS IAM group can update the trust policy for a role with administrative privileges
AWS IAM group has access to a large number of resources
AWS IAM group has administrative privileges
AWS IAM policy with administrative privileges is not attached to any principal
AWS IAM role can assume a role with administrative privileges
AWS IAM role can create a login profile for an IAM user with administrative privileges
AWS IAM role can create access keys for an IAM user with administrative privileges
AWS IAM role can update a login profile for an IAM user with administrative privileges
AWS IAM role can update the trust policy for a role with administrative privileges
AWS IAM role has a large permissions gap
AWS IAM role has a trust relationship with a wildcard principal
AWS IAM role has access to a large number of resources
AWS IAM role has administrative privileges
AWS IAM role has administrative privileges and is inactive
AWS IAM role should not allow untrusted GitHub Actions to assume it
AWS IAM role should not have permissive trust with the Cognito Identity service
AWS IAM role should not have permissive trust with the Cognito Identity service and "FullAccess" permissions
AWS IAM role with administrative privileges has a trust relationship with a wildcard principal
AWS IAM role with administrative privileges has an external cross-account trust relationship
AWS IAM role with external cross-account trust relationship does not use an external ID
AWS IAM user can assume a role with administrative privileges
AWS IAM user can create a login profile for an IAM user with administrative privileges
AWS IAM user can create access keys for an IAM user with administrative privileges
AWS IAM user can update a login profile for an IAM user with administrative privileges
AWS IAM user can update the trust policy for a role with administrative privileges
AWS IAM user has a large permissions gap
AWS IAM user has access to a large number of resources
AWS IAM user has administrative privileges
AWS IAM user has administrative privileges and is inactive
AWS Lambda function has administrative privileges
Credentials should be deactivated or removed if unused for 45 days
Expired SSL/TLS certificate stored in AWS IAM should be removed
IAM Access Analyzer should be enabled for all regions
IAM password policy should prevent the reuse of passwords
IAM password policy should require a length of at least 14 characters
IAM password policy should require at least one lowercase letter
IAM password policy should require at least one number in passwords
IAM password policy should require at least one symbol
IAM password policy should require uppercase characters
IAM policies should be attached and managed at the group level
IAM policy should provide only necessary and specific privileges
IAM role trust policy should not contain a wildcard principal
IAM server certificate should be renewed 30 days before expiration
Inactive IAM access keys older than 1 year should be removed
MFA should be enabled for the "root" user account
Multi-factor authentication should be enabled for all IAM users with console access
Root account access keys should be removed
Root account credentials should be inactive for the previous 30 days
The "root" user account should have hardware MFA enabled
There should only be one active access key per IAM user

IIS

>

IIS HTTP requests from security scanner

Jamfprotect

>

BETA Jamf Protect alerts
BETA Jamf Protect threat events

Jumpcloud

>

Credential stuffing attack on Jumpcloud
Jumpcloud admin granted system privileges
Jumpcloud admin login without MFA
Jumpcloud admin triggered impossible travel scenario
Jumpcloud administrator role assigned
Jumpcloud policy created
Jumpcloud policy modified

KMS

>

KMS key policy should not allow everyone to use it
Symmetric CMKs should have encryption key rotation enabled

Kubernetes

>

BETA A Kubernetes audit policy should exist
A Kubernetes user attempted to perform a high number of actions that were denied
A Kubernetes user was assigned cluster administrator permissions
A new Kubernetes admission controller was created
Anonymous request authorized
BETA API server audit log files should be retained for at least 10 log file rotations
BETA API server audit logs should be enabled
BETA API server audit logs should be retained for at least 30 days
BETA API server should verify the kubelet's certificate before establishing connection
BETA Certificate-based kubelet authentication should be required
BETA Each controller should use individual service account credentials
BETA Etcd key-value store should be encrypted at rest
BETA Etcd pod specification file should have permissions of 600 or more restrictive
BETA Etcd server should require API servers to present a client certificate and key when connecting
BETA Etcd should be configured with TLS encryption
BETA Etcd should have client authentication enabled
BETA Etcd should have peer authentication configured
BETA Etcd should only allow the use of valid client certificates
BETA Etcd should use TLS encryption for peer connections
BETA Kubelet nodes should only be authorized to read objects they are associated with
BETA Kubernetes API server profiling should be disabled
BETA Kubernetes PKI certificate files should have permissions of 600 or more restrictive
Kubernetes Pod Created in Kube Namespace
Kubernetes Pod Created with hostNetwork
Kubernetes principal attempted to enumerate their permissions
Kubernetes Service Account Created in Kube Namespace
Kubernetes Service Created with NodePort
New Kubernetes Namespace Created
New Kubernetes privileged pod created
BETA Pods should use `root-ca-file` to pass serving certificates to the API server
BETA RBAC should be enabled for the Kubernetes API server
BETA Scheduler profiling should be disabled
BETA Service accounts management should be automated
BETA The `admin.conf` file should be owned by root
BETA The `admin.conf` file should have permissions of 600 or more restrictive
BETA The `controller-manager.conf` file should be owned by root
BETA The `controller-manager.conf` file should have permissions of 600 or more restrictive
BETA The API server audit log files should be rotated once the file reaches 100 MB or more
BETA The API server pod specification file ownership should be assigned to root
BETA The API server pod specification file should have permissions of 600 or more restrictive
BETA The API Server should require HTTPS connections
BETA The Controller Manager API service should be bound to localhost
BETA The controller manager pod specification file should be owned by root
BETA The controller manager pod specification file should have permissions of 600 or more restrictive
BETA The Controller Manager profiling should be disabled
BETA The controller manager should have a service account private key file set
BETA The etcd data directory should be owned by the etcd user and group
BETA The etcd data directory should have permissions of 700 or more restrictive
BETA The etcd pod specification file should be owned by root
BETA The etcd server should require API servers to present an SSL CA file when connecting
BETA The kubelet server certificate rotation on the controller-manager should be enabled
BETA The kubelet service file should be owned by root
BETA The kubelet service file should have permissions of 600 or more restrictive
BETA The kubelet.conf file should be owned by root
BETA The kubelet.conf file should have permissions of 600 or more restrictive
BETA The Kubernetes admission controller 'AlwaysAdmit' should be disabled
BETA The Kubernetes admission controller 'NamespaceLifecycle' should be enabled
BETA The Kubernetes admission controller 'NodeRestriction' should be enabled
BETA The Kubernetes API server request timeout should not exceed 60 seconds
BETA The Kubernetes API server should only allow explicitly authorized requests
BETA The Kubernetes API server should use a service account public key file for service accounts
BETA The Kubernetes API server should use secure authentication methods and avoid using token-based authentication
BETA The Kubernetes API server should use TLS certificate client authentication
BETA The Kubernetes API server should validate that the service account token exists in etcd
BETA The Kubernetes PKI directories should be owned by root
BETA The scheduler API service should not be bound to non-loopback insecure addresses
BETA The scheduler configuration file ownership should be assigned to root
BETA The scheduler configuration file should only be alterable by owners
BETA The scheduler pod specification file ownership should be assigned to root
BETA The scheduler pod specification file should have permissions of 600 or more restrictive
BETA TLS connections between etcd peers should not use self-signed certificates that are automatically generated
User Attached to a Pod
User Exec into a Pod

Lambda

>

Lambda function should have access to VPC resources in configuration
Lambda function should not be accessible over the public internet
Lambda function should use the latest runtime environment version
Lambda functions should not be configured with a privileged execution role

Meraki

>

Cisco Meraki organization appliance security IDS events

Microsoft 365

>

A Microsoft Teams member was made owner of multiple teams
A new Microsoft 365 application was installed
A new Microsoft Teams app or bot was observed
A potentially malicious file was sent in a Microsoft Teams message
Abnormal successful Microsoft 365 Exchange login event
An external Microsoft Teams member was added then removed
Exchange Online mail forwarding rule enabled
Microsoft 365 Anomalous Amount of Deleted Emails
Microsoft 365 Anomalous Amount of Downloaded files
Microsoft 365 Default or Anonymous user permissions added to mailbox folder
Microsoft 365 eDiscovery content search started
Microsoft 365 eDiscovery search export downloaded
Microsoft 365 Exchange inbox rule set up to automatically forward email
Microsoft 365 Exchange inbox rule set up to hide email
Microsoft 365 Exchange transport rule set up to automatically forward email
Microsoft 365 Full Access delegate permissions added
Microsoft 365 Inbound Connector added or modified
Microsoft 365 mailbox audit logging bypass
Microsoft 365 OneDrive anonymous link created
Microsoft 365 Security and Compliance
Microsoft 365 SendAs permissions added
Microsoft 365 SharePoint object shared with guest
Microsoft 365 Unified Audit Logging Disabled
Multiple Microsoft Teams deleted
Unusual Authentication by Microsoft 365 Azure AD Service Principal

Microsoft Defender For Cloud

>

Microsoft Defender for Cloud

Multi Log Sources

>

Base64 was detected in an http.user_agent or http.referrer
Credential stuffing attack
Log4j Scanner detected in user agent or referrer
Log4Shell Scanning Detected
Potential cryptomining detected through IP callback
Scout Suite user agent observed
Spring RCE post-exploitation activity attempted

Network

>

EC2 instance used for malicious botnet operations

Nginx

>

NGINX HTTP requests from security scanner

Nginx Ingress Controller

>

NGINX ingress controller HTTP requests from security scanner

NPM Based Threat Detection

>

Connection to cryptomining pool
Connection to red team domain
Docker daemon publicly accessible
Egress over IRC port
Egress SSH scanning
Kubernetes API publicly accessible
Redis service publicly accessible
Remote Desktop service publicly accessible
Service exposed using ngrok
SSH service publicly accessible

Okta

>

Malicious authentication attempt detected by Okta ThreatInsight
Multiple Okta push notifications denied
Okta administrator role assigned to user
Okta API Token Created or Enabled
Okta blocked numerous requests from a malicious IP
Okta Identity Provider creation or modification
Okta Impersonation
Okta MFA Bypass Attempted
Okta MFA reset for user
Okta one-time refresh token reused
Okta phishing detection with FastPass origin check
Okta policy rule deleted
Okta User Access Denied to Sign On
Okta User Attempted to Access Unauthorized App
Okta user reported suspicious activity
Okta user's MFA factors reset followed by access to the administrative console

Onelogin

>

OneLogin administrator assumed a user
OneLogin user granted administrative privileges
OneLogin user locked out
OneLogin user viewed secure note

Pan.firewall

>

Palo Alto Networks Firewall - command and control traffic observed
Palo Alto Networks Firewall - crypto mining activity observed

RDS

>

RDS database instance should be encrypted
RDS database instance should be inaccessible over the public internet
RDS database instance should have the 'Auto Minor Version Upgrade' flag enabled
RDS database instance snapshots should not be publicly shared
RDS database instances should use a non-default port

Redshift

>

Logging for Redshift clusters should be enabled
Redshift cluster should not be publicly accessible
Redshift clusters should be allowed to upgrade versions automatically
Redshift clusters should be encrypted
Redshift clusters should use a custom master username
Redshift clusters should use a non-default port for communication
Redshift clusters should use the EC2-VPC platform for better security

Runtime Security Agent

>

Workload executed a binary with cryptomining configuration data
Workload resolved a cryptomining domain

S3

>

Default encryption should be enabled on S3 buckets
S3 bucket ACLs should be restricted from public view
S3 bucket ACLs should block public write actions
S3 bucket contents should only be accessible by authorized principals
S3 bucket objects should not allow public listing via ACL
S3 Bucket Policy should deny HTTP requests
S3 bucket policy should prevent public write access
S3 buckets should have the 'Block Public Access' feature enabled
S3 buckets should have the 'MFA Delete' feature enabled
S3 buckets should have versioning enabled

Salesforce

>

Anomalous amount of Salesforce query results
Anomalous amount of Salesforce records deleted
Credential stuffing attack on Salesforce
Salesforce Brute force attack on user
Salesforce login from disabled account

Signal Sciences

>

Signal Sciences flagged an IP

Slack

>

BETA Microsoft Intune Enterprise MDM disabled for Slack
BETA Slack anomaly event
BETA Slack audit - Enterprise Organization
BETA Slack DLP rule modified
BETA Slack IdP configuration changed
BETA Slack manual export downloaded
BETA Slack SSO setting changed
BETA Slack two factor authentication requirement changed
BETA Slack user role elevated to administrative privileges
BETA Tor client IP address identified in Slack

SNS

>

SNS Topic should have access restrictions set for subscription
SNS Topic should have restrictions set for publishing
SNS Topic should have server-side encryption enabled
SNS topic should not be accessible over the public internet

SQS

>

SQS queue should have server-side encryption
SQS Queue should not be accessible over the public internet

Tailscale

>

BETA Tailscale API access token created
BETA Tailscale device approval configuration disabled
BETA Tailscale security email modified
BETA Tailscale user approval configuration disabled
BETA Tailscale user role updated

Twistlock

>

Container image vulnerability detected
Container violated compliance standards

Vault

>

Vault root token

VPC

>

Ingress traffic to remote administration ports should be restricted
Network ACLs should enforce inbound traffic restrictions
Network ACLs should enforce outbound traffic restrictions
VPC endpoint should restrict public access

Windows

>

Windows Audit Log Cleared
Windows Directory Service Restore Mode password changed
Windows Domain Admin Group Changed
Windows Firewall Disabled
Windows Net command executed to enumerate administrators
Windows User Added to Domain Admin Group

Windows Cloud Workload Security

>

BETA Bitsadmin used to download or execute a file
BETA Certutil used to transmit or decode a file
BETA NTDS file referenced in command line
BETA Process memory dumped using procdump
BETA Process memory dumped using the minidump functions of comsvcs.dll
BETA Scheduled task created
BETA Suspicous ntdsutil usage
BETA WMI used to remotely execute content

Zendesk

>

Zendesk account assumption is enabled
Zendesk API token is created
Zendesk Automatic Redaction is disabled
Zendesk IP restriction settings is disabled
Zendesk user's suspension status is changed