security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

[Rule Tuning] Fixing Incorrect ES|QL Operator Use - AWS Service Quotas Multi-Region GetServiceQuota Request (#4118)

Browse Source 
* fixing single equal operator

* Additional data source tag for consistency

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
This commit is contained in:
Terrance DeJesus
2024-10-02 15:50:22 -04:00
committed by GitHub
parent 51859e57f3
commit 45a347580c
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml
+3 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2024/08/26"
maturity = "production"
updated_date = "2024/08/26"
updated_date = "2024/10/02"
[rule]
author = ["Elastic"]
@@ -25,6 +25,7 @@ severity = "low"
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS Service Quotas",
"Use Case: Threat Detection",
"Tactic: Discovery",
@@ -36,7 +37,7 @@ query = '''
from logs-aws.cloudtrail-*
// filter for GetServiceQuota API calls
| where event.dataset == "aws.cloudtrail" and event.provider = "servicequotas.amazonaws.com" and event.action == "GetServiceQuota"
| where event.dataset == "aws.cloudtrail" and event.provider == "servicequotas.amazonaws.com" and event.action == "GetServiceQuota"
// truncate the timestamp to a 30-second window
| eval target_time_window = DATE_TRUNC(30 seconds, @timestamp)