security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] AWS Security Group Configuration Change Detection (#1915)

Browse Source 
* Update persistence_ec2_security_group_configuration_change_detection

Rule does not trigger as expected due to 'iam' provider. I changed the specified provider to 'ec2'.

* update to improve rule coverage

I edited this rule to include the deletion of an RDS Instance. This fills a current gap in coverage as we are able to detect the creation and stopping of RDS instances and clusters, but only detect deletion of RDS clusters.

* Revert "update to improve rule coverage"

This reverts commit b3b094274fe13c56908aa6781c8236de6e3b5380.
This commit is contained in:
Isai
2022-04-07 14:47:09 -04:00
committed by GitHub
parent ad99c6b489
commit 5073ef8be7
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/05/05"
maturity = "production"
updated_date = "2021/09/20"
updated_date = "2022/04/07"
integration = "aws"
[rule]
@@ -36,7 +36,7 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or
event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or
CreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or
RevokeSecurityGroupIngress) and event.outcome:success
'''