diff --git a/rules/aws/collection_cloudtrail_logging_created.toml b/rules/aws/collection_cloudtrail_logging_created.toml index 2da21d22e..b8cf49920 100644 --- a/rules/aws/collection_cloudtrail_logging_created.toml +++ b/rules/aws/collection_cloudtrail_logging_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/10" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:CreateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success ''' diff --git a/rules/aws/credential_access_iam_user_addition_to_group.toml b/rules/aws/credential_access_iam_user_addition_to_group.toml index 180bdd6ce..936ccdf81 100644 --- a/rules/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/aws/credential_access_iam_user_addition_to_group.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/04" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:AddUserToGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success ''' diff --git a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml index 804968321..36358aa2d 100644 --- a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/26" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:DeleteTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success ''' diff --git a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml index c47283cdd..9bad72e96 100644 --- a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/10" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:StopLogging and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success ''' diff --git a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml index cd761d270..1ce4f46dd 100644 --- a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/15" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:DeleteAlarms and event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success ''' diff --git a/rules/aws/defense_evasion_config_service_rule_deletion.toml b/rules/aws/defense_evasion_config_service_rule_deletion.toml index 37661fd88..0a4307f0e 100644 --- a/rules/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/aws/defense_evasion_config_service_rule_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/26" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: aws.cloudtrail and event.action: DeleteConfigRule and event.provider: config.amazonaws.com +event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:DeleteConfigRule ''' diff --git a/rules/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/aws/defense_evasion_configuration_recorder_stopped.toml index 3cd46cd4c..20e0bcb48 100644 --- a/rules/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/aws/defense_evasion_configuration_recorder_stopped.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/16" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:StopConfigurationRecorder and event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success ''' diff --git a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml index b30044f83..4bc975de1 100644 --- a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/15" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:DeleteFlowLogs and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success ''' diff --git a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml index 4edf8c09f..eba6b2f7b 100644 --- a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/26" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success ''' diff --git a/rules/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/aws/defense_evasion_guardduty_detector_deletion.toml index 7ec7b11b4..e6c8379fa 100644 --- a/rules/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/aws/defense_evasion_guardduty_detector_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/28" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:DeleteDetector and event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success ''' diff --git a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml index e73d8b6a7..93e0ce3cc 100644 --- a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/27" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -35,7 +35,10 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or DeleteBucketEncryption or DeleteBucketLifecycle) and event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and + event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or + DeleteBucketEncryption or DeleteBucketLifecycle) + and event.outcome:success ''' diff --git a/rules/aws/defense_evasion_waf_acl_deletion.toml b/rules/aws/defense_evasion_waf_acl_deletion.toml index 6e64e4d8e..6386652bc 100644 --- a/rules/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/aws/defense_evasion_waf_acl_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:DeleteWebACL and event.dataset:aws.cloudtrail and event.outcome:success +event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success ''' diff --git a/rules/aws/impact_cloudtrail_logging_updated.toml b/rules/aws/impact_cloudtrail_logging_updated.toml index c4d15ec7f..b3ea1f7e2 100644 --- a/rules/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/aws/impact_cloudtrail_logging_updated.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/10" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:UpdateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success ''' diff --git a/rules/aws/impact_cloudwatch_log_group_deletion.toml b/rules/aws/impact_cloudwatch_log_group_deletion.toml index 488d7b386..1a24d04fa 100644 --- a/rules/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/aws/impact_cloudwatch_log_group_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:DeleteLogGroup and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success ''' diff --git a/rules/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/aws/impact_cloudwatch_log_stream_deletion.toml index 42af3b058..01289f8bb 100644 --- a/rules/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/aws/impact_cloudwatch_log_stream_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:DeleteLogStream and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success ''' diff --git a/rules/aws/impact_ec2_disable_ebs_encryption.toml b/rules/aws/impact_ec2_disable_ebs_encryption.toml index adf424904..0a0353efa 100644 --- a/rules/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/aws/impact_ec2_disable_ebs_encryption.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/05" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:DisableEbsEncryptionByDefault and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success ''' diff --git a/rules/aws/impact_iam_deactivate_mfa_device.toml b/rules/aws/impact_iam_deactivate_mfa_device.toml index 8b1d451fc..9dde69c41 100644 --- a/rules/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/aws/impact_iam_deactivate_mfa_device.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/26" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:DeactivateMFADevice and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeactivateMFADevice and event.outcome:success ''' diff --git a/rules/aws/impact_iam_group_deletion.toml b/rules/aws/impact_iam_group_deletion.toml index 0d64969c6..0bbc36aab 100644 --- a/rules/aws/impact_iam_group_deletion.toml +++ b/rules/aws/impact_iam_group_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:DeleteGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success ''' diff --git a/rules/aws/impact_rds_cluster_deletion.toml b/rules/aws/impact_rds_cluster_deletion.toml index 91d201627..a16253165 100644 --- a/rules/aws/impact_rds_cluster_deletion.toml +++ b/rules/aws/impact_rds_cluster_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:(DeleteDBCluster or DeleteGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster) and event.outcome:success ''' diff --git a/rules/aws/impact_rds_instance_cluster_stoppage.toml b/rules/aws/impact_rds_instance_cluster_stoppage.toml index d3e2a5a84..49a83416a 100644 --- a/rules/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/aws/impact_rds_instance_cluster_stoppage.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:(StopDBCluster or StopDBInstance) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success ''' diff --git a/rules/aws/initial_access_console_login_root.toml b/rules/aws/initial_access_console_login_root.toml index 9369c6b2a..5d4340b7e 100644 --- a/rules/aws/initial_access_console_login_root.toml +++ b/rules/aws/initial_access_console_login_root.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/11" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:ConsoleLogin and event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and aws.cloudtrail.user_identity.type:Root and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success ''' diff --git a/rules/aws/initial_access_password_recovery.toml b/rules/aws/initial_access_password_recovery.toml index 34f7e81dc..1fc90b7fa 100644 --- a/rules/aws/initial_access_password_recovery.toml +++ b/rules/aws/initial_access_password_recovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/02" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:PasswordRecoveryRequested and event.provider:signin.amazonaws.com and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success ''' diff --git a/rules/aws/persistence_ec2_network_acl_creation.toml b/rules/aws/persistence_ec2_network_acl_creation.toml index 2c60125d6..fbbe83fdc 100644 --- a/rules/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/aws/persistence_ec2_network_acl_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/04" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success ''' diff --git a/rules/aws/persistence_iam_group_creation.toml b/rules/aws/persistence_iam_group_creation.toml index fca401806..f19d7488d 100644 --- a/rules/aws/persistence_iam_group_creation.toml +++ b/rules/aws/persistence_iam_group_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/05" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:CreateGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success ''' diff --git a/rules/aws/persistence_rds_cluster_creation.toml b/rules/aws/persistence_rds_cluster_creation.toml index dff2bddb0..00f126fb1 100644 --- a/rules/aws/persistence_rds_cluster_creation.toml +++ b/rules/aws/persistence_rds_cluster_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:(CreateDBCluster or CreateGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success ''' diff --git a/rules/aws/privilege_escalation_root_login_without_mfa.toml b/rules/aws/privilege_escalation_root_login_without_mfa.toml index a366cd7ef..3fd3b6696 100644 --- a/rules/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/aws/privilege_escalation_root_login_without_mfa.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -31,7 +31,10 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and event.outcome:success +event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and + aws.cloudtrail.user_identity.type:Root and + aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and + event.outcome:success ''' diff --git a/rules/azure/persistence_azure_automation_webhook_created.toml b/rules/azure/persistence_azure_automation_webhook_created.toml index 4b95f3e55..25ee2fbed 100644 --- a/rules/azure/persistence_azure_automation_webhook_created.toml +++ b/rules/azure/persistence_azure_automation_webhook_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/03/04" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -27,7 +27,6 @@ rule_id = "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62" severity = "low" tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"] timestamp_override = "event.ingested" -to = "now-25m" type = "query" query = ''' diff --git a/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml b/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml index 35decf433..2c95a19a8 100644 --- a/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml +++ b/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -29,6 +29,6 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.buckets.update and event.outcome:success +event.dataset:(googlecloud.audit or gcp.audit) and event.action:"storage.buckets.update" and event.outcome:success ''' diff --git a/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml index 25d059aba..5bb804a4a 100644 --- a/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +++ b/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.setIamPermissions and event.outcome:success +event.dataset:(googlecloud.audit or gcp.audit) and event.action:"storage.setIamPermissions" and event.outcome:success ''' diff --git a/rules/gcp/impact_gcp_storage_bucket_deleted.toml b/rules/gcp/impact_gcp_storage_bucket_deleted.toml index 58773704a..873050391 100644 --- a/rules/gcp/impact_gcp_storage_bucket_deleted.toml +++ b/rules/gcp/impact_gcp_storage_bucket_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(googlecloud.audit or gcp.audit) and event.action:storage.buckets.delete +event.dataset:(googlecloud.audit or gcp.audit) and event.action:"storage.buckets.delete" ''' diff --git a/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml b/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml index f1a32ea39..10073cab2 100644 --- a/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml +++ b/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/22" [rule] author = ["Elastic"] @@ -31,6 +31,6 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(googlecloud.audit or gcp.audit) and event.action:(v*.compute.routes.insert or beta.compute.routes.insert) +event.dataset:(googlecloud.audit or gcp.audit) and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") '''