Evident Updates - August 8, 2018
0
Created On 09/26/18 13:44 PM - Last Modified 07/19/22 23:07 PM
Resolution
The following updates are scheduled to take effect on the Evident service on 8/8/2018:
Enhancements
- New Signature: AWS:KMS-004 - KMS External CMK Expires in 30 Days
Description: Automatic key rotation is available on all customer managed CMKs with KMS-generated key material. It is not available for CMKs that have imported key material (the value of the Origin field is External). This signature alerts you if your imported/external CMK is expiring in 30 days or less. - New Signature: AWS:IAM-022 - IAM SSH Key Older Than 90 Days Detected
Description: This signature scans all of your IAM SSH public keys to verify that they rotated on a regular basis in order to protect your AWS CodeCommit repositories. A FAIL alert is generated if a key is older than 90 days. - New Signature: AWS:ELB-015 - ALB Access Log Not Enabled
Description: This signature scans all of your AWS Application Load Balancers to ensure that access logging is enabled and returns a FAIL alert if it is not. - New Signature: AWS:ELB-013 - ELB Access Log Not Enabled
Description: This signature scans all of your AWS Classic Elastic Load Balancers to ensure that access logging is enabled and returns a FAIL alert if it is not. - New Signature: AWS:EC-001 - ElastiCache Cluster Not in VPC
Description: This signature scans your ElastiCache clusters to ensure they are provisioned within a VPC and returns a FAIL alert if they are not. - New Signature: AWS:CLT-007 - Cloudtrail S3 Logging Not Enabled
Description: This signature scans your S3 CloudTrail bucket to verify that you have S3 CloudTrail logging enabled and returns a FAIL alert if it is not. New Signature: AWS:CFM-003 - CFN Stack Termination Protection Not Enabled
Description: This signature scans to ensure that you have termination protection enabled on your stacks and returns a FAIL alert if one is found without it.- New Signature: AWS:ACM-001 - ACM SSL Certificates Expires in 30 Days
Description: This signature scans for expiring ACM SSL certificates and returns a FAIL alert if any will expire within 30 days. - New Signature: AWS:LAMBDA-004 - Lambda Limits
Description: This signature scans each region you have Lambda functions in, and if the combined code size of your Lambda functions is approaching capacity (more than 90% of your limit), a FAIL alert is generated. - New Signature: AZU:KV-001 - Key Vault Audit Logging Not Enabled
Description: It is recommended to enable Azure Key Vault logging to get visibility into how and when the key vaults are accessed, modified, and by whom. This signature verifies that Azure Key Vault logging is enabled and returns a FAIL alert if it is not. - New Signature: AZU:SC-001 - SQL Encryption Policy is Not Enabled
Description: It is recommended that encryption at rest is enabled for your Azure SQL Database, associated backups, and transaction log files. If SQL Encryption policy is not enabled, then this signature generates a FAIL alert. - New Signature: AZU:NET-010 - TLS v1.2 on Application Gateways
Description: This signature scans all custom SSL connections to ensure that the MinProtocolVersion is set to TLSv1_2 (or that the predefined AppGwSslPolicy20170401S SSL policy is used). If the signature finds a custom SSL connection that does not meet these conditions, it returns a FAIL alert. - New Signature: AZU:NET-009 - Load Balancer Diagnostic Logs Not Enabled
Description: This signature scans to ensure that all of your resources have diagnostic logs with Alert Events and Health Status enabled and returns a FAIL alert if any are found without it. New Signature: AZU:KV-003 - Key Vault Secret is Scheduled to Expire
Description: Key Vault secret should be rotated periodically, and as such each Key Vault secret should be scheduled for expiration. This signature searches for instances Key Vault secret and generate a FAIL alert for each secret that is not scheduled to expire.New Signature: AZU:KV-002 - Key Vault Key is Not Scheduled to Expire
Description: Key Vault key should be rotated periodically, and as such each Key Vault key should be scheduled for expiration. This signature searches for instances Key Vault key and generate a FAIL alert for each key that is not scheduled to expire.- New Signature: AZU:SC-003 - JIT Network Access Policy is Not Enabled
Description: This signature checks your Security Policy to ensure that JIT Network Access (requires Standard tier of Security Center) is enabled and returns a FAIL alert if it is not. - New Signature: AZU:SC-002 - Emails About Alerts is Not Enabled
Description: This signature checks to see if you have enabled security alerts emailing to security contact and returns a FAIL alert if it is not. - The Copy & Customize template has been be populated to allow for customizing these default signatures:
- AWS:CF-001 AWS CloudFront CDN Not in Use
- AWS:EC2-034 EC2 Single Instance Does Not Appear to be Redundant
- AWS:R53-001 Route53 DNS
- AWS:RDS-001 RDS Retention Policy < 7 Days
- AWS:RDS-003 RDS Database Not Encrypted
- AWS:RDS-004 RDS Database Not Encrypted with Customer KMS Key
- AWS:RDS-009 RDS Event Subscription Not Enabled
- AWS:REDSHIFT-001 Redshift Cluster Is Publicly Accessible
- AWS:REDSHIFT-002 Unencrypted Redshift Cluster
- AWS:REDSHIFT-003 Redshift Cluster Not Encrypted with Customer KMS Key
- AWS:SSS-008 S3 Bucket has Global ACL Permissions enabled
- AWS:SSS-014 S3 Server Side Encryption Not Enabled
- AWS:SSS-015 S3 Secure Data Transport Policy Violation Discovered
Note: Reference links to customizing signatures:
- Updated CIS AWS Foundations Benchmarks to match v1.2:
- Renumber section 1.21 to 1.19 - Ensure IAM instance roles are used for AWS resource access from instances
- Renumber section 1.22 to 1.20 - Ensure a support role has been created
- Renumber section 1.23 to 1.21 - Do not set-up access keys during initial user setup for all IAM users that have a console password
- Renumber section 1.24 to 1.22 - Ensure IAM policies that allow full "*:*" administrative privileges are not created
- Renumber section 4.3 to 2.9 - Ensure VPC flow logging is enabled in all VPCs
- Updated the Azure SDK to the latest release version.
- Custom Signature editor now provides more information regarding NoMethodExceptions.
- Improved sort fields for reports allows for sorting by Team Name and Account Name, and sort by alerts has been changed to sort by Signature Identifier.
- New Feature: User Access Level
You can now explicitly grant appropriate access (Organization, Sub Organization, or Team) to every user in your organization. Enabling granular access for users in the Evident service allows you to limit exposure to data and prevent escalation of privileges for a user due to implicit references to higher access levels. For example, a user to whom you have granted team access, cannot gain elevated access to the sub organization, if you delete the team to which he belongs.
- New Feature: Editable Suppressions
To consolidate the number of suppressions you define on the Evident service, you can now edit an alert suppression. If, for example, you add a new account, or you want to suppress alerts for a new signature, you can modify an existing suppression to include your changes instead of creating a new one.
- The Evident Contact Us page has been updated to include the Evident Knowledge Base, Palo Alto Networks Support, and Login Assistance for new users.
- Beta dashboard is now default view.
Addressed Issues
- Signature AWS:VPC-002 and Signature: AWS:VPC-009 were revised to add a new FAIL condition better suited to meeting the design needs of the signature.
- Signature: AWS:VPC-003 was revised to better inform the customer of when VPC subnet/NACL is internet accessible.
- Signature: AWS:ELB-006 was edited to addressed the lack of a PASS / FAIL message.
- Fixed an issue where Jira notifications failed because the alert was too long.
- Added proper paging to KMS client list aliases.
- The following signatures were edited to address an unexpected error and also to ensure the all match and partial match issue: