/
mongodb_logging_toggled.yml
59 lines (59 loc) · 1.98 KB
/
mongodb_logging_toggled.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
AnalysisType: rule
Description: "MongoDB logging toggled"
DisplayName: "MongoDB logging toggled"
Enabled: true
Filename: mongodb_logging_toggled.py
Severity: Low
Reference: https://attack.mitre.org/techniques/T1562/008/
Tests:
- ExpectedResult: false
Log:
created: "2023-06-07 16:57:55"
currentValue: {}
eventTypeName: CAT_JUMPED
id: 6480b7139bd8a012345ABCDE
isGlobalAdmin: false
links:
- href: https://cloud.mongodb.com/api/atlas/v1.0/orgs/12345xyzlmnce4f17d6e8e130/events/6480b7139bd8a012345ABCDE
rel: self
orgId: 12345xyzlmnce4f17d6e8e130
p_event_time: "2023-06-07 16:57:55"
p_log_type: MongoDB.OrganizationEvent
p_parse_time: "2023-06-07 17:04:42.59"
p_row_id: ea276b16216684d9e198c0d0188a3d
p_schema_version: 0
p_source_id: 7c3cb124-9c30-492c-99e6-46518c232d73
p_source_label: MongoDB
remoteAddress: 1.2.3.4
targetUsername: insider@company.com
userId: 647f654f93bebc69123abc1
username: user@company.com
Name: Random event
- ExpectedResult: true
Log:
created: "2023-06-07 16:57:55"
currentValue: {}
eventTypeName: AUDIT_LOG_CONFIGURATION_UPDATED
id: 6480b7139bd8a012345ABCDE
isGlobalAdmin: false
links:
- href: https://cloud.mongodb.com/api/atlas/v1.0/orgs/12345xyzlmnce4f17d6e8e130/events/6480b7139bd8a012345ABCDE
rel: self
orgId: 12345xyzlmnce4f17d6e8e130
p_event_time: "2023-06-07 16:57:55"
p_log_type: MongoDB.OrganizationEvent
p_parse_time: "2023-06-07 17:04:42.59"
p_row_id: ea276b16216684d9e198c0d0188a3d
p_schema_version: 0
p_source_id: 7c3cb124-9c30-492c-99e6-46518c232d73
p_source_label: MongoDB
remoteAddress: 1.2.3.4
targetUsername: insider@company.com
userId: 647f654f93bebc69123abc1
username: user@company.com
Name: Logging toggled
DedupPeriodMinutes: 60
LogTypes:
- MongoDB.ProjectEvent
RuleID: "MongoDB.Logging.Toggled"
Threshold: 1