diff --git a/rules/cloud/aws/aws_elasticache_security_group_created.yml b/rules/cloud/aws/aws_elasticache_security_group_created.yml index 26c08a751..5aec929c2 100644 --- a/rules/cloud/aws/aws_elasticache_security_group_created.yml +++ b/rules/cloud/aws/aws_elasticache_security_group_created.yml @@ -4,6 +4,7 @@ description: Detects when an ElastiCache security group has been created. author: Austin Songer status: experimental date: 2021/07/24 +modified: 2021/08/19 references: - https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml logsource: @@ -11,7 +12,7 @@ logsource: detection: selection: eventSource: elasticache.amazonaws.com - eventName: "Create Cache Security Group" + eventName: "CreateCacheSecurityGroup" condition: selection level: low tags: diff --git a/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml b/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml index 26e325271..162b79980 100644 --- a/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml +++ b/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml @@ -4,6 +4,7 @@ description: Identifies when an ElastiCache security group has been modified or author: Austin Songer status: experimental date: 2021/07/24 +modified: 2021/08/19 references: - https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml logsource: @@ -12,9 +13,9 @@ detection: selection: eventSource: elasticache.amazonaws.com eventName: - - "Delete Cache Security Group" - - "Authorize Cache Security Group Ingress" - - "Revoke Cache Security Group Ingress" + - "DeleteCacheSecurityGroup" + - "AuthorizeCacheSecurityGroupIngress" + - "RevokeCacheSecurityGroupIngress" - "AuthorizeCacheSecurityGroupEgress" - "RevokeCacheSecurityGroupEgress" condition: selection diff --git a/rules/cloud/aws/aws_s3_data_management_tampering.yml b/rules/cloud/aws/aws_s3_data_management_tampering.yml index 4787fd143..7e5229d1e 100644 --- a/rules/cloud/aws/aws_s3_data_management_tampering.yml +++ b/rules/cloud/aws/aws_s3_data_management_tampering.yml @@ -1,9 +1,10 @@ -title: AWS S3 Data Management Tamperin +title: AWS S3 Data Management Tampering id: 78b3756a-7804-4ef7-8555-7b9024a02e2d description: Detects when a user tampers with S3 data management in Amazon Web Services. author: Austin Songer status: experimental date: 2021/07/24 +modified: 2021/08/19 references: - https://github.com/elastic/detection-rules/pull/1145/files - https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html @@ -16,7 +17,7 @@ logsource: service: cloudtrail detection: selection: - eventSource: iam.amazonaws.com + eventSource: s3.amazonaws.com eventName: - PutBucketLogging - PutBucketWebsite diff --git a/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml b/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml index 37814a8f5..e8794cee2 100644 --- a/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml +++ b/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml @@ -4,7 +4,7 @@ status: test description: Detects the modification of an EC2 snapshot's permissions to enable access from another account author: Darin Smith date: 2021/05/17 -modified: 2021/08/09 +modified: 2021/08/19 references: - https://www.justice.gov/file/1080281/download - https://attack.mitre.org/techniques/T1537/ @@ -12,7 +12,7 @@ logsource: service: cloudtrail detection: selection_source: - eventSource: cloudtrail.amazonaws.com + eventSource: ec2.amazonaws.com eventName: ModifySnapshotAttribute condition: selection_source falsepositives: