From 2a48335813b03ae789afa23fc74ea421013f1175 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Thu, 7 Apr 2022 14:47:09 -0400 Subject: [PATCH] [Rule Tuning] AWS Security Group Configuration Change Detection (#1915) * Update persistence_ec2_security_group_configuration_change_detection Rule does not trigger as expected due to 'iam' provider. I changed the specified provider to 'ec2'. * update to improve rule coverage I edited this rule to include the deletion of an RDS Instance. This fills a current gap in coverage as we are able to detect the creation and stopping of RDS instances and clusters, but only detect deletion of RDS clusters. * Revert "update to improve rule coverage" This reverts commit b3b094274fe13c56908aa6781c8236de6e3b5380. (cherry picked from commit 5073ef8be7388555e9715936a52e6329626bc4e3) --- ...nce_ec2_security_group_configuration_change_detection.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index e98e7f46f..85cdb5cca 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/05/05" maturity = "production" -updated_date = "2021/09/20" +updated_date = "2022/04/07" integration = "aws" [rule] @@ -36,7 +36,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or +event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or CreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or RevokeSecurityGroupIngress) and event.outcome:success '''