From 32b7ef47df2aa44a985d5118c43bf22f675fa394 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Fri, 23 Dec 2022 12:32:05 +0100
Subject: [PATCH] Add count condition

---
 rules/cloud/aws/aws_enum_logging.yml | 2 +-
 rules/cloud/aws/aws_enum_network.yml | 2 +-
 rules/cloud/aws/aws_enum_storage.yml | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/cloud/aws/aws_enum_logging.yml b/rules/cloud/aws/aws_enum_logging.yml
index 63c680008..50fa152c6 100644
--- a/rules/cloud/aws/aws_enum_logging.yml
+++ b/rules/cloud/aws/aws_enum_logging.yml
@@ -26,7 +26,7 @@ detection:
             - 'DescribeSnapshotTierStatus'
             - 'DescribeImages'
     timeframe: 10m
-    condition: selection
+    condition: selection | count() > 5
 falsepositives:
     - Unknown
 level: medium
diff --git a/rules/cloud/aws/aws_enum_network.yml b/rules/cloud/aws/aws_enum_network.yml
index 7b5a6ca6c..41297071c 100644
--- a/rules/cloud/aws/aws_enum_network.yml
+++ b/rules/cloud/aws/aws_enum_network.yml
@@ -23,7 +23,7 @@ detection:
             - 'DescribeDhcpOptions'
             - 'GetTransitGatewayRouteTableAssociations'
     timeframe: 10m
-    condition: selection
+    condition: selection | count() > 5
 falsepositives:
     - Unknown
 level: low
diff --git a/rules/cloud/aws/aws_enum_storage.yml b/rules/cloud/aws/aws_enum_storage.yml
index c06f63780..6a9ad5b41 100644
--- a/rules/cloud/aws/aws_enum_storage.yml
+++ b/rules/cloud/aws/aws_enum_storage.yml
@@ -24,7 +24,7 @@ detection:
             - 'GetBucketPolicy'
             - 'GetBucketTagging'
     timeframe: 10m
-    condition: selection
+    condition: selection | count() > 5
 falsepositives:
     - Unknown
 level: medium