Cloud Data Exfiltration IOMs
This query outputs all identified indicators of misconfigurations (IOMs) related to data exfiltration.
Cloudmonitoring
FDR intermediatepor CrowdStrike (cql-hub.com) 1 min read
Query
| #repo=base_sensor "event-type" = "cspm_policy_*" vertex_type=ioa
// Translate numerical severity to the severity name
| case {
policy_severity = 0 | Severity := "Critical"
; policy_severity = 1 | Severity := "High"
; policy_severity = 2 | Severity := "Medium"
; policy_severity = 3 | Severity := "Informational"
; * | Severity := format("Unknown (%s)", field=policy_severity)
}
| service = Identity
// Format cloud_provider
| case {
cloud_provider = "aws" | Provider := "AWS"
; cloud_provider = "azure" | Provider := "Azure"
; cloud_provider = "gcp" | Provider := "GCP"
; * | Provider := upper(cloud_provider)
}
| "Attack types" := concatArray("attack_types", separator="\n")
| "Tactic and technique" := format("%s via %s", field=[mitre_attack_tactic, mitre_attack_technique])
| groupBy(
[policy_id, Severity, Provider, cloud_service_friendly, policy_statement, policy_description, "Tactic and technique", "Attack types"]
, limit=max
, function=[
count(@timestamp, distinct=true, as=Detections)
, { max(@timestamp, as="Last detection") | "Last detection" := formatTime("%F %T %Z", field="Last detection")}
]
)
| "Attack types" = "Data Exfiltration"Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.