From 05135ec828aba76af656ea0d10c3e0b316b5900a Mon Sep 17 00:00:00 2001
From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com>
Date: Thu, 29 Dec 2022 05:46:36 +1100
Subject: [PATCH] Further improved several AWS rules (#3827)

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
---
 rules/cloud/aws/aws_delete_identity.yml                      | 5 +++--
 .../cloud/aws/{aws_enum_logging.yml => aws_enum_backup.yml}  | 3 ++-
 rules/cloud/aws/aws_enum_network.yml                         | 5 +++--
 rules/cloud/aws/aws_enum_storage.yml                         | 3 ++-
 rules/cloud/aws/aws_ses_messaging_enabled.yml                | 5 +++--
 5 files changed, 13 insertions(+), 8 deletions(-)
 rename rules/cloud/aws/{aws_enum_logging.yml => aws_enum_backup.yml} (93%)

diff --git a/rules/cloud/aws/aws_delete_identity.yml b/rules/cloud/aws/aws_delete_identity.yml
index 9ba8f1a88..fc4f7caf4 100644
--- a/rules/cloud/aws/aws_delete_identity.yml
+++ b/rules/cloud/aws/aws_delete_identity.yml
@@ -1,11 +1,12 @@
 title: SES Identity Has Been Deleted
 id: 20f754db-d025-4a8f-9d74-e0037e999a9a
 status: experimental
-description: Detects an instance of an SES identity being deleted via the "delete-identity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities
+description: Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities
 references:
     - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
 author: Janantha Marasinghe
 date: 2022/12/13
+modified: 2022/12/28
 tags:
     - attack.defense_evasion
     - attack.t1070
@@ -15,7 +16,7 @@ logsource:
 detection:
     selection:
         eventSource: 'ses.amazonaws.com'
-        eventName: 'delete-identity'
+        eventName: 'DeleteIdentity'
     condition: selection
 falsepositives:
     - Unknown
diff --git a/rules/cloud/aws/aws_enum_logging.yml b/rules/cloud/aws/aws_enum_backup.yml
similarity index 93%
rename from rules/cloud/aws/aws_enum_logging.yml
rename to rules/cloud/aws/aws_enum_backup.yml
index 50fa152c6..bef7e3b03 100644
--- a/rules/cloud/aws/aws_enum_logging.yml
+++ b/rules/cloud/aws/aws_enum_backup.yml
@@ -1,4 +1,4 @@
-title: Potential Backup Enumeration on An AWS Instance
+title: Potential Backup Enumeration on AWS
 id: 76255e09-755e-4675-8b6b-dbce9842cd2a
 status: experimental
 description: Detects potential enumeration activity targeting an AWS instance backups
@@ -6,6 +6,7 @@ references:
     - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
 author: Janantha Marasinghe
 date: 2022/12/13
+modified: 2022/12/28
 tags:
     - attack.discovery
     - attack.t1580
diff --git a/rules/cloud/aws/aws_enum_network.yml b/rules/cloud/aws/aws_enum_network.yml
index 41297071c..90b42bdf4 100644
--- a/rules/cloud/aws/aws_enum_network.yml
+++ b/rules/cloud/aws/aws_enum_network.yml
@@ -1,11 +1,12 @@
-title: Potential Network Enumeration on An AWS Instance
+title: Potential Network Enumeration on AWS
 id: c3d53999-4b14-4ddd-9d9b-e618c366b54d
 status: experimental
-description: Detects network enumeration performed on an AWS instance.
+description: Detects network enumeration performed on AWS.
 references:
     - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
 author: Janantha Marasinghe
 date: 2022/12/13
+modified: 2022/12/28
 tags:
     - attack.discovery
     - attack.t1016
diff --git a/rules/cloud/aws/aws_enum_storage.yml b/rules/cloud/aws/aws_enum_storage.yml
index 6a9ad5b41..c47b8e5f7 100644
--- a/rules/cloud/aws/aws_enum_storage.yml
+++ b/rules/cloud/aws/aws_enum_storage.yml
@@ -1,4 +1,4 @@
-title: Potential Storage Enumeration on An AWS Instance
+title: Potential Storage Enumeration on AWS
 id: 4723218f-2048-41f6-bcb0-417f2d784f61
 status: experimental
 description: Detects potential enumeration activity targeting AWS storage
@@ -6,6 +6,7 @@ references:
     - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
 author: Janantha Marasinghe
 date: 2022/12/13
+modified: 2022/12/28
 tags:
     - attack.discovery
     - attack.t1619
diff --git a/rules/cloud/aws/aws_ses_messaging_enabled.yml b/rules/cloud/aws/aws_ses_messaging_enabled.yml
index 55a5038d6..7438698d5 100644
--- a/rules/cloud/aws/aws_ses_messaging_enabled.yml
+++ b/rules/cloud/aws/aws_ses_messaging_enabled.yml
@@ -1,11 +1,12 @@
-title: Potential Phshing Activity Via AWS Cloud Email Service Abuse
+title: Potential AWS Cloud Email Service Abuse
 id: 60b84424-a724-4502-bd0d-cc676e1bc90e
 status: experimental
-description: Detects potential phshing activity when the email sending feature is enabled for an account and the email address verification request is dispatched in quick succession
+description: Detects when the email sending feature is enabled for an AWS account and the email address verification request is dispatched in quick succession
 references:
     - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
 author: Janantha Marasinghe
 date: 2022/12/12
+modified: 2022/12/28
 tags:
     - attack.t1583.006
     - attack.resource_development