From 62aa4dcedc0ef5cc1d38416a57cc62e41c41dfb6 Mon Sep 17 00:00:00 2001
From: Isai <59296946+imays11@users.noreply.github.com>
Date: Fri, 20 Feb 2026 10:41:42 -0500
Subject: [PATCH] [Rule Tuning] Potential AWS S3 Bucket Ransomware Note
 Uploaded (#5739)

Tuning based on telemetry from recent rule version 9. There are many false positives for what look like typical S3 storage object names like `BillingInformation`, `InstanceInformation` created by AWS Service accounts. I'm excluding AWS service account types from the rule for now which eliminated ~97% of the false positives over last 30 days. leaving only 66 which is acceptable for this rule and should be addressed via local exclusions.

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
---
 .../impact_s3_bucket_object_uploaded_with_ransom_keyword.toml  | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml b/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml
index 7b9446c87..36ccc844d 100644
--- a/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml
+++ b/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/04/17"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2026/01/30"
+updated_date = "2026/02/19"
 
 [rule]
 author = ["Elastic"]
@@ -123,6 +123,7 @@ file where
   /* common ransom note file name keywords */
   aws.cloudtrail.resources.arn regex~ "arn:aws:s3:::[^/]+/.*?(how|decrypt|restor|help|instruct|read|get|recov|save|encrypt|info|ransom).*"
   and not aws.cloudtrail.resources.arn regex~ ".*(AWSLogs|CloudTrail|access-logs).*"
+  and not aws.cloudtrail.user_identity.type == "AWSService"
 '''
 
 [rule.investigation_fields]