From d59d462956229e2f6c721cde03fbc7bcedbd9115 Mon Sep 17 00:00:00 2001
From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Date: Tue, 2 Jul 2024 13:02:52 -0400
Subject: [PATCH] [Rule Tuning] Potential AWS S3 Bucket Ransomware Note
 Uploaded  (#3854)

* tuning 'Potential AWS S3 Bucket Ransomware Note Uploaded'

* adding filter to ignore common AWS object path strings
---
 ...pact_s3_bucket_object_uploaded_with_ransom_extension.toml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_extension.toml b/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_extension.toml
index 42c07501f..36ccce2f4 100644
--- a/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_extension.toml
+++ b/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_extension.toml
@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.13.0"
-updated_date = "2024/06/05"
+updated_date = "2024/07/01"
 
 [rule]
 author = ["Elastic"]
@@ -95,7 +95,8 @@ from logs-aws.cloudtrail-*
 | dissect aws.cloudtrail.request_parameters "%{?ignore_values}key=%{object_name}}"
 
 // regex on common ransomware note extensions
-| where object_name rlike "(.*).(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)"
+| where object_name rlike "(.*)(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)(.*)"
+    and not object_name rlike "(.*)(AWSLogs|CloudTrail|access-logs)(.*)"
 
 // aggregate by S3 bucket, resource and object name
 | stats note_upload_count = count(*) by tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name