From 202111a306981d3512f62f6cc80bf9842409c296 Mon Sep 17 00:00:00 2001 From: John Pipkin Date: Mon, 23 Dec 2024 15:55:40 -0600 Subject: [PATCH 1/3] Update standard match list --- .../standard-match-lists.md | 112 +++++------------- 1 file changed, 31 insertions(+), 81 deletions(-) diff --git a/docs/cse/match-lists-suppressed-lists/standard-match-lists.md b/docs/cse/match-lists-suppressed-lists/standard-match-lists.md index 290ca59746..0fc3486e96 100644 --- a/docs/cse/match-lists-suppressed-lists/standard-match-lists.md +++ b/docs/cse/match-lists-suppressed-lists/standard-match-lists.md @@ -92,7 +92,6 @@ Assign the _userGroup tag to users accounts known to be involved with specific **Description:** Accounts that are known to be involved with specific administrative or privileged activity. The following Cloud SIEM rules refer to this match list: - * Windows - Excessive User Interactive Logons Across Multiple Hosts ### admin_ips @@ -102,7 +101,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** Hosts that are known to be involved with specific administrative or privileged activity on the network. Can be used for tracking hosts that are operated by admins and other privileged users, or are often the source of restricted, privileged or suspicious authorized actions, and so on. This sort of tracking is useful for baselining activity and as a result, surfacing more suspicious activity. The following Cloud SIEM rules refer to this match list: - * PowerShell Remote Administration * PsExec Admin Tool Detection * SMB write to admin hidden share @@ -114,7 +112,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** Users that are known to be involved with specific administrative or privileged activity. The following Cloud SIEM rules refer to this match list: - * Lateral Movement Using the Windows Hidden Admin Share * Outlier in Data Outbound Per Day by Admin or Sensitive Device * Outlier in Data Outbound Per Hour by Admin or Sensitive Device @@ -126,7 +123,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** IPs that are known to be involved with specific administrative or privileged activity on the network. The following Cloud SIEM rules refer to this match list: - * Alibaba ActionTrail KMS Activity ### Alibaba_admin_users @@ -136,7 +132,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** Users that are known to be involved with specific administrative or privileged activity on the network. The following Cloud SIEM rules refer to this match list: - * Alibaba ActionTrail KMS Activity ### auth_servers @@ -146,7 +141,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** Network authentication servers, including Active Directory, LDAP, Kerberos, RADIUS/TACACS, and NIS servers. May be used in analytics designed to detect [DCSync](https://attack.mitre.org/techniques/T1003/006/) attacks. The following Cloud SIEM rules refer to this match list: - * DNS Lookup of High Entropy Domain ### authorized_third_party_domains @@ -166,7 +160,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** Hosts that are known to be involved with specific administrative or privileged activity in AWS. Can be used for tracking hosts that are operated by admins and other privileged users, or are often the source of restricted, privileged or suspicious authorized actions, and so on. This sort of tracking is useful for baselining activity and as a result, surfacing more suspicious activity. The following Cloud SIEM rules refer to this match list: - * AWS Cloud Storage Deletion * AWS CloudTrail - Aggressive Reconnaissance * AWS CloudTrail - Database Snapshot Created @@ -209,7 +202,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** Users that are known to be involved with specific administrative or privileged activity in AWS. Can be used for tracking users that are admins and other privileged users, or are often the source of restricted, privileged or suspicious authorized actions, and so on. This sort of tracking is useful for baselining activity and as a result, surfacing more suspicious activity. The following Cloud SIEM rules refer to this match list: - * AWS Cloud Storage Deletion * AWS CloudTrail - Aggressive Reconnaissance * AWS CloudTrail - Database Snapshot Created @@ -252,14 +244,10 @@ The following Cloud SIEM rules refer to this match list: **Description:** Remote ASNs supporting business processes. The following Cloud SIEM rules refer to this match list: - * Domain Resolution in Non-Standard TLD * Executable Downloaded - Content-Type Mismatch * HTTP Request to Domain in Non-Standard TLD * Threat Intel Match - IP Address -* Threat Intel - Matched Domain Name -* Threat Intel - Device IP Matched Threat Intel Domain Name -* Threat Intel - Device IP Matched Threat Intel URL ### business_domains @@ -270,12 +258,10 @@ The following Cloud SIEM rules refer to this match list: *Domain* matches against the `domain` field, not the FQDN (i.e. hostname or query), so *example.com* is a valid entry is but *www.example.com* is not. The following Cloud SIEM rules refer to this match list: - * Bitsadmin to Uncommon TLD * Connection to High Entropy Domain * DNS DGA Lookup Behavior - NXDOMAIN Responses * DNS Lookup of High Entropy Domain -* DNS query for dynamic DNS provider * Domain Resolution in Non-Standard TLD * Executable Downloaded - Content-Type Mismatch * HTTP External Request to PowerShell Extension @@ -287,8 +273,6 @@ The following Cloud SIEM rules refer to this match list: * SSH Interesting Hostname Login * Script/CLI UserAgent string * Threat Intel Match - IP Address -* Threat Intel - Matched Domain Name -* Threat Intel - Device IP Matched Threat Intel Domain Name * Threat Intel - Device IP Matched Threat Intel URL ### business_hostnames @@ -298,7 +282,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** DNS hostnames that are known to be business-related FQDNs. The following Cloud SIEM rules refer to this match list: - * Bitsadmin to Uncommon TLD * Connection to High Entropy Domain * DNS DGA Lookup Behavior - NXDOMAIN Responses @@ -315,11 +298,11 @@ The following Cloud SIEM rules refer to this match list: * SSH Interesting Hostname Login * Script/CLI UserAgent string * Threat Intel Match - IP Address -* VBS file downloaded from Internet -* Web Request to Punycode Domain * Threat Intel - Matched Domain Name * Threat Intel - Device IP Matched Threat Intel Domain Name * Threat Intel - Device IP Matched Threat Intel URL +* VBS file downloaded from Internet +* Web Request to Punycode Domain ### business_ips @@ -328,7 +311,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** Remote IP addresses supporting business processes. Can be used for things like SSH servers for SFTP file exchanges (similarly, FTP servers). The following Cloud SIEM rules refer to this match list: - * Bitsadmin to Uncommon TLD * Connection to High Entropy Domain * Domain Resolution in Non-Standard TLD @@ -343,10 +325,8 @@ The following Cloud SIEM rules refer to this match list: * SSH Interesting Hostname Login * Script/CLI UserAgent string * Threat Intel Match - IP Address -* Web Request to IP Address -* Threat Intel - Matched Domain Name -* Threat Intel - Device IP Matched Threat Intel Domain Name * Threat Intel - Device IP Matched Threat Intel URL +* Web Request to IP Address ### dns_servers @@ -355,7 +335,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** DNS caching resolvers/authoritative content servers in customer environments. The following Cloud SIEM rules refer to this match list: - * Direct Outbound DNS Traffic * Possible DNS over TLS (DoT) Activity * Too many empty/refused DNS queries @@ -367,14 +346,14 @@ The following Cloud SIEM rules refer to this match list: **Description:** Domain controller IPs. The following Cloud SIEM rules refer to this match list: - * Brute Force Attempt * Domain Brute Force Attempt * Domain Password Attack * First Seen Anonymous Logon Change Activity to Domain Controller * Outlier in Data Outbound Per Day by Admin or Sensitive Device * Outlier in Data Outbound Per Hour by Admin or Sensitive Device -* Password Attack +* Password Attack from Host +* Password Attach from IP * Spike in Login Failures from a User * Successful Brute Force @@ -385,7 +364,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** Domain controller hostnames. The following Cloud SIEM rules refer to this match list: - * Interactive Logon to Domain Controller * Suspicious DC Logon @@ -396,7 +374,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** Known account names that utilize downgraded encryption types with multiple SPNs. This is an exception match list that should be populated with a list of Kerberos principal names (for example, jdoe@EXAMPLE.COM) matched in endpoint username that are known to trigger content around legacy downgraded encryption types. This is directly related to the detection of [*Kerberoasting*](https://attack.mitre.org/techniques/T1208/) attacks. The following Cloud SIEM rules refer to this match list: - * First Seen Kerberoasting Attempt from User - Global * First Seen Kerberoasting Attempt from User - Host * Too Many Kerberos Encryption Downgrade SPNs (Kerberoasting) @@ -420,9 +397,7 @@ none **Description:** Authorized domains. The following Cloud SIEM rules refer to this match list: - * Connection to High Entropy Domain -* DNS query for dynamic DNS provider * HTTP request for single character file name * Possible DNS Data Exfiltration @@ -433,9 +408,7 @@ The following Cloud SIEM rules refer to this match list: **Description:** Authorized hostnames. The following Cloud SIEM rules refer to this match list: - * Connection to High Entropy Domain -* DNS query for dynamic DNS provider * HTTP request for single character file name * Possible DNS Data Exfiltration @@ -456,7 +429,6 @@ none **Description:** Users or hosts that are known to be involved with specific administrative or privileged activity in GCP. Can be used for tracking users or hosts that are admins and other privileged users, or are often the source of restricted, privileged or suspicious authorized actions, and so on. This sort of tracking is useful for baselining activity and as a result, surfacing more suspicious activity. The following Cloud SIEM rules refer to this match list: - * GCP Audit Cloud SQL Database Modified * GCP Audit GCE Firewall Rule Modified * GCP Audit GCE Network Route Created or Modified @@ -480,7 +452,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** Hosts that are known to be involved with specific administrative or privileged activity in GCP. Can be used for tracking hosts that are operated by admins and other privileged users, or are often the source of restricted, privileged or suspicious authorized actions, and so on. This sort of tracking is useful for baselining activity and as a result, surfacing more suspicious activity. The following Cloud SIEM rules refer to this match list: - * GCP Image Creation * GCP Image Deletion * GCP Image Discovery @@ -497,7 +468,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** Users that are known to be involved with specific administrative or privileged activity in GCP. Can be used for tracking users that are admins and other privileged users, or are often the source of restricted, privileged or suspicious authorized actions, and so on. This sort of tracking is useful for baselining activity and as a result, surfacing more suspicious activity. The following Cloud SIEM rules refer to this match list: - * GCP Image Creation * GCP Image Deletion * GCP Image Discovery @@ -514,7 +484,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** Hosts that are known to be involved with specific administrative or privileged activity in Google Workspace. Can be used for tracking hosts that are operated by admins and other privileged users, or are often the source of restricted, privileged or suspicious authorized actions, and so on. This sort of tracking is useful for baselining activity and as a result, surfacing more suspicious activity. The following Cloud SIEM rule refers to this match list: - * G Suite - Admin Activity ### Google_Workspace_admin_users @@ -524,7 +493,6 @@ The following Cloud SIEM rule refers to this match list: **Description:** Users that are known to be involved with specific administrative or privileged activity in Google Workspace. Can be used for tracking users that are admins and other privileged users, or are often the source of restricted, privileged or suspicious authorized actions, and so on. This sort of tracking is useful for baselining activity and as a result, surfacing more suspicious activity. The following Cloud SIEM rule refers to this match list: - * G Suite - Admin Activity ### guest_networks @@ -534,7 +502,6 @@ The following Cloud SIEM rule refers to this match list: **Description:** Known guest WLAN and other guests/BYOD network addresses. The following Cloud SIEM rules refer to this match list: - * Base32 in DNS Query * Bitsadmin to Uncommon TLD * Connection to High Entropy Domain @@ -550,12 +517,12 @@ The following Cloud SIEM rules refer to this match list: * Possible DNS Data Exfiltration * Possible DNS over TLS (DoT) Activity * RDP Error Messages +* Script/CLI UserAgent string * SMB write to hidden admin share * SQL Injection Attacker * SQL Injection Victim * SQL-Select-From * SSH Interesting Hostname Login -* Script/CLI UserAgent string * Web Request to IP Address * Web Request to Punycode Domain @@ -566,7 +533,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** List of IPs for Honeypots. The following Cloud SIEM rules refer to this match list: - * Traffic to Honeypot IP ### http_servers @@ -576,9 +542,17 @@ The following Cloud SIEM rules refer to this match list: **Description:** Web servers in your environment. The following Cloud SIEM rules refer to this match list: - * Spike in URL Length from IP Address +### known_docker_images + +**Target column:** Source IP Address (`SrcIp`) + +**Description:** Hosts that are known to be involved with specific administrative or privileged activity in Docker. + +The following Cloud SIEM rules refer to this match list: +* Unrecognized Container Image + ### lan_scanner_exception_ips **Target column:** IP Address (`Ip`) @@ -586,13 +560,10 @@ The following Cloud SIEM rules refer to this match list: **Description:** IP addresses excepted from analytics identifying LAN protocol scanning activity. Used in specific cases to exclude hosts from flagging particular types of rule content, primarily around scanning of commonly targeted LAN service ports, etc. Not an across-the-board allowlist. This match list is not intended for vulnerability scanners, which should be listed instead in vuln scanners. Examples of hosts that are suited for this match list: - * Telephony server that pushes content to deployed softphones over SMB/CIFS - * Data security audit software that connects to SMB shares The following Cloud SIEM rules refer to this match list: - * Amazon VPC - Network Scan * Amazon VPC - Port Scan * Excessive Outbound Firewall Blocks @@ -615,7 +586,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** Source NAT addresses. Can be used as an exception match list to block content relying on the evaluation of data per-host from applying to hosts that are translated or aggregations of other hosts. Note that this can also be applied using [proxy_servers](#proxy_servers) as an example of a specific case. The following Cloud SIEM rules refer to this match list: - * DNS DGA Lookup Behavior - NXDOMAIN Responses ### nms_ips @@ -629,7 +599,6 @@ Hosts known to be Network Management System (NMS) nodes. Can be used as an exception match list for systems that connect to other hosts in environment for purposes of management, monitoring, and so on. The following Cloud SIEM rules refer to this match list: - * Amazon VPC - Network Scan * Amazon VPC - Port Scan * GCP Port Scan @@ -647,8 +616,17 @@ The following Cloud SIEM rules refer to this match list: **Description:** Users that are known to be involved with specific administrative or privileged activity. The following Cloud SIEM rules refer to this match list: - * Okta Admin App Accessed +* Okta - First Seen user Accessing Admin Application + +### OneLogin_Untrusted_Location + +**Target column:** Username (`Username`) + +**Description:** Users that are known to be involved with specific administrative or privileged activity. + +The following Cloud SIEM rules refer to this match list: +* OneLogin - API Credentials - Key Used from Untrusted Location ### palo_alto_sinkhole_ips @@ -669,7 +647,6 @@ None **Description:** Forward proxy servers, including HTTP and SOCKS proxies. The following Cloud SIEM rules refer to this match list: - * Amazon VPC - Network Scan * Amazon VPC - Port Scan * DNS DGA Lookup Behavior - NXDOMAIN Responses @@ -689,7 +666,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** Copy of the [proxy_servers](#proxy_servers) match list for directional matches. The following Cloud SIEM rules refer to this match list: - * Bitsadmin to Uncommon TLD * Excessive Outbound Firewall Blocks * Executable Downloaded - Content-Type Mismatch @@ -732,7 +708,6 @@ none **Description:** Public Ip Addresses. The following Cloud SIEM rules refer to this match list: - * Doublepulsar scan - likely not infected * Likely doublepulsar Infected @@ -743,7 +718,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** Hosts that are known to be involved with specific administrative or privileged activity in Salesforce. Can be used for tracking hosts that are operated by admins and other privileged users, or are often the source of restricted, privileged or suspicious authorized actions, and so on. This sort of tracking is useful for baselining activity and as a result, surfacing more suspicious activity. The following Cloud SIEM rules refer to this match list: - * Salesforce Custom Permission Creation * Salesforce Excessive Documents Downloaded * Salesforce LoginAs Event @@ -765,7 +739,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** Users that are known to be involved with specific administrative or privileged activity in Salesforce. Can be used for tracking users that are admins and other privileged users, or are often the source of restricted, privileged or suspicious authorized actions, and so on. This sort of tracking is useful for baselining activity and as a result, surfacing more suspicious activity. The following Cloud SIEM rules refer to this match list: - * Salesforce Custom Permission Creation * Salesforce Excessive Documents Downloaded * Salesforce LoginAs Event @@ -787,7 +760,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** Malware sandboxes or security devices interacting with malicious infrastructure. The following Cloud SIEM rules refer to this match list: - * Threat Intel Match - IP Address * Threat Intel - Matched Domain Name * Threat Intel - Device IP Matched Threat Intel Domain Name @@ -840,7 +812,6 @@ none **Description:** SSL exception IPs. The following Cloud SIEM rules refer to this match list: - * SSL Certificate Expired * SSL Certificate Expires Soon * SSL Certificate Not Valid Yet @@ -863,14 +834,8 @@ none **Description:** A record flagged an IP address from a threat intelligence match list. The following Cloud SIEM rules refer to this match list: - -* Threat Intel - Successful Authentication from Threat IP * Threat Intel Match - IP Address -* Threat Intel - Inbound Traffic Context -* Threat Intel - Matched File Hash -* Threat Intel - Matched Domain Name -* Threat Intel - Device IP Matched Threat Intel Domain Name -* Threat Intel - Device IP Matched Threat Intel URL +* Threat Intel - Successful Authentication from Threat IP ### unauthorized_external_media @@ -879,7 +844,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** A list of devices that should not have external media installed on them. The following Cloud SIEM rules refer to this match list: - * Unauthorized External Device Installation ### verified_applications @@ -889,7 +853,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** Reviewed and validated legitimate or non-threat applications. The following Cloud SIEM rules refer to this match list: - * Lateral Movement Using the Windows Hidden Admin Share ### verified_domains @@ -899,12 +862,10 @@ The following Cloud SIEM rules refer to this match list: **Description:** Reviewed and validated legitimate or non-threat domains. The following Cloud SIEM rules refer to this match list: - * Base32 in DNS Query * Bitsadmin to Uncommon TLD * Connection to High Entropy Domain * DNS Lookup of High Entropy Domain -* DNS query for dynamic DNS provider * Domain Resolution in Non-Standard TLD * Executable Downloaded - Content-Type Mismatch * HTTP External Request to PowerShell Extension @@ -916,8 +877,6 @@ The following Cloud SIEM rules refer to this match list: * SSH Interesting Hostname Login * Script/CLI UserAgent string * Threat Intel Match - IP Address -* Threat Intel - Matched Domain Name -* Threat Intel - Device IP Matched Threat Intel Domain Name * Threat Intel - Device IP Matched Threat Intel URL ### verified_hostnames @@ -927,11 +886,9 @@ The following Cloud SIEM rules refer to this match list: **Description:** Reviewed and validated legitimate or non-threat hostnames. The following Cloud SIEM rules refer to this match list: - * Bitsadmin to Uncommon TLD * Connection to High Entropy Domain * DNS Lookup of High Entropy Domain -* DNS query for dynamic DNS provider * Domain Resolution in Non-Standard TLD * Executable Downloaded - Content-Type Mismatch * HTTP External Request to PowerShell Extension @@ -942,10 +899,10 @@ The following Cloud SIEM rules refer to this match list: * Request to Anomalous Web Server Software * SSH Interesting Hostname Login * Script/CLI UserAgent string -* Threat Intel Match - IP Address -* Threat Intel - Matched Domain Name * Threat Intel - Device IP Matched Threat Intel Domain Name * Threat Intel - Device IP Matched Threat Intel URL +* Threat Intel Match - IP Address +* Threat Intel - Matched Domain Name * Web Request to Punycode Domain ### verified_ips @@ -955,13 +912,11 @@ The following Cloud SIEM rules refer to this match list: **Description:** Reviewed and validated legitimate or non-threat ips. The following Cloud SIEM rules refer to this match list: - * Domain Resolution in Non-Standard TLD * HTTP Request to Domain in Non-Standard TLD -* Threat Intel Match - IP Address -* Threat Intel - Matched Domain Name * Threat Intel - Device IP Matched Threat Intel Domain Name * Threat Intel - Device IP Matched Threat Intel URL +* Threat Intel Match - IP Address * Web Request to IP Address ### verified_uri_ips @@ -971,7 +926,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** Reviewed and validated legitimate or non-threat IP addresses. The following Cloud SIEM rules refer to this match list: - * Executable Downloaded - Content-Type Mismatch ### verified_uri_paths @@ -985,7 +939,6 @@ This is a shared match list that should be imported into target environments. Match list items have a TTL specified that will result in the items having an expiration date set in the future. The following Cloud SIEM rules refer to this match list: - * Executable Downloaded - Content-Type Mismatch * HTTP Request to Domain in Non-Standard TLD @@ -1016,7 +969,6 @@ none **Description:** Vulnerability scanner and network mapping hosts. The following Cloud SIEM rules refer to this match list: - * Amazon VPC - Network Scan * Amazon VPC - Port Scan * Base32 in DNS Query @@ -1026,7 +978,6 @@ The following Cloud SIEM rules refer to this match list: * Critical Severity Intrusion Signature * DNS DGA Lookup Behavior - NXDOMAIN Responses * DNS Lookup of High Entropy Domain -* DNS query for dynamic DNS provider * Directory Traversal - Successful * Directory Traversal - Unsuccessful * Domain Brute Force Attempt @@ -1053,7 +1004,8 @@ The following Cloud SIEM rules refer to this match list: * Low Severity Intrusion Signature * Medium Severity Intrusion Signature * Noncompliant Protocol Tunnel Over Common Service Port -* Password Attack +* Password Attack from Host +* Password Attack from IP * Port Scan - Internal * Possible DNS Data Exfiltration * RDP Error Messages @@ -1081,7 +1033,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** List of webserver hostnames or IPs. The following Cloud SIEM rules refer to this match list: - * Web Servers Executing Suspicious Processes ### zoom_admins @@ -1091,7 +1042,6 @@ The following Cloud SIEM rules refer to this match list: **Description:** Known admin users of Zoom. The following Cloud SIEM rules refer to this match list: - * Zoom - Account Created * Zoom - Account Deleted * Zoom - Group Admin Added From af5401403d9f46faed076e3ac6d79f2395cd4e02 Mon Sep 17 00:00:00 2001 From: John Pipkin Date: Mon, 23 Dec 2024 16:21:55 -0600 Subject: [PATCH 2/3] Updates --- docs/cse/match-lists-suppressed-lists/standard-match-lists.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/cse/match-lists-suppressed-lists/standard-match-lists.md b/docs/cse/match-lists-suppressed-lists/standard-match-lists.md index 0fc3486e96..e1b5691396 100644 --- a/docs/cse/match-lists-suppressed-lists/standard-match-lists.md +++ b/docs/cse/match-lists-suppressed-lists/standard-match-lists.md @@ -546,9 +546,9 @@ The following Cloud SIEM rules refer to this match list: ### known_docker_images -**Target column:** Source IP Address (`SrcIp`) +**Target column:** Username (`Username`) -**Description:** Hosts that are known to be involved with specific administrative or privileged activity in Docker. +**Description:** Unrecognized Docker container images that may indicate an attempt to bypass security controls on existing images or escalate privileges. The following Cloud SIEM rules refer to this match list: * Unrecognized Container Image From 4ab955a5dd91b4fa99ab565441b8ea3cc05f26c6 Mon Sep 17 00:00:00 2001 From: John Pipkin Date: Fri, 27 Dec 2024 09:04:07 -0600 Subject: [PATCH 3/3] Updates from review --- .../match-lists-suppressed-lists/standard-match-lists.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/cse/match-lists-suppressed-lists/standard-match-lists.md b/docs/cse/match-lists-suppressed-lists/standard-match-lists.md index e1b5691396..2cc77f62c6 100644 --- a/docs/cse/match-lists-suppressed-lists/standard-match-lists.md +++ b/docs/cse/match-lists-suppressed-lists/standard-match-lists.md @@ -548,7 +548,7 @@ The following Cloud SIEM rules refer to this match list: **Target column:** Username (`Username`) -**Description:** Unrecognized Docker container images that may indicate an attempt to bypass security controls on existing images or escalate privileges. +**Description:** Known approved Docker images that act as a whitelist. If an image is identified that is not on this list, further investigation is warranted. If approved images are identified they should be added to this list. The following Cloud SIEM rules refer to this match list: * Unrecognized Container Image @@ -621,9 +621,9 @@ The following Cloud SIEM rules refer to this match list: ### OneLogin_Untrusted_Location -**Target column:** Username (`Username`) +**Target column:** IP Address (`Ip`) -**Description:** Users that are known to be involved with specific administrative or privileged activity. +**Description:** Locations that are known to be untrusted. The following Cloud SIEM rules refer to this match list: * OneLogin - API Credentials - Key Used from Untrusted Location