From cf3cbf808996bfd2b4d4cae3b37d101c208fa490 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <monsteroffire2@gmail.com>
Date: Tue, 9 Dec 2025 10:17:50 +0100
Subject: [PATCH] Merge PR #5799 from @nasbench - Update logic to use
 `errorCode` instead for better mapping and accuracy

update: Potential Malicious Usage of CloudTrail System Manager - Update logic to use errorCode instead for better mapping and accuracy
---
 .../cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml  | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml
index 6a409f66a..984e88142 100644
--- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml
+++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml
@@ -7,6 +7,7 @@ references:
     - https://github.com/elastic/detection-rules/blob/v8.6.0/rules/integrations/aws/initial_access_via_system_manager.toml
 author: jamesc-grafana
 date: 2024-07-11
+modified: 2025-12-08
 tags:
     - attack.privilege-escalation
     - attack.initial-access
@@ -16,11 +17,14 @@ logsource:
     product: aws
     service: cloudtrail
 detection:
-    selection:
+    selection_event:
         eventName: 'SendCommand'
         eventSource: 'ssm.amazonaws.com'
-        responseElements.command.status: 'Success'
-    condition: selection
+    selection_status_success:
+        errorCode: 'Success'
+    selection_status_null:
+        errorCode: null
+    condition: selection_event and 1 of selection_status_*
 falsepositives:
     - There are legitimate uses of SSM to send commands to EC2 instances
     - Legitimate users may have to use SSM to perform actions against machines in the Cloud to update or maintain them