security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Potential AWS S3 Bucket Ransomware Note Uploaded (#5739)

Browse Source 
Tuning based on telemetry from recent rule version 9. There are many false positives for what look like typical S3 storage object names like `BillingInformation`, `InstanceInformation` created by AWS Service accounts. I'm excluding AWS service account types from the rule for now which eliminated ~97% of the false positives over last 30 days. leaving only 66 which is acceptable for this rule and should be addressed via local exclusions.

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
This commit is contained in:
Isai
2026-02-20 10:41:42 -05:00
committed by GitHub
parent d358641c45
commit 62aa4dcedc
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml
+2 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2024/04/17"
integration = ["aws"]
maturity = "production"
updated_date = "2026/01/30"
updated_date = "2026/02/19"
[rule]
author = ["Elastic"]
@@ -123,6 +123,7 @@ file where
/* common ransom note file name keywords */
aws.cloudtrail.resources.arn regex~ "arn:aws:s3:::[^/]+/.*?(how|decrypt|restor|help|instruct|read|get|recov|save|encrypt|info|ransom).*"
and not aws.cloudtrail.resources.arn regex~ ".*(AWSLogs|CloudTrail|access-logs).*"
and not aws.cloudtrail.user_identity.type == "AWSService"
'''
[rule.investigation_fields]