diff --git a/rules/integrations/aws/privilege_escalation_aws_iam_administratoraccess_policy_attached_to_group.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml similarity index 94% rename from rules/integrations/aws/privilege_escalation_aws_iam_administratoraccess_policy_attached_to_group.toml rename to rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml index 7f5365ace..2282733cf 100644 --- a/rules/integrations/aws/privilege_escalation_aws_iam_administratoraccess_policy_attached_to_group.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml @@ -2,8 +2,8 @@ creation_date = "2024/05/31" integration = ["aws"] maturity = "production" -updated_date = "2024/05/31" -min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully" +updated_date = "2024/07/05" +min_stack_comments = "ES|QL rule type in technical preview as of 8.13." min_stack_version = "8.13.0" [rule] @@ -21,7 +21,7 @@ false_positives = [ to attach the `AdministratorAccess` policy to the user group. """, ] -from = "now-10m" +from = "now-6m" language = "esql" license = "Elastic License v2" name = "AWS IAM AdministratorAccess Policy Attached to Group" @@ -104,8 +104,6 @@ from logs-aws.cloudtrail-* | where event.provider == "iam.amazonaws.com" and event.action == "AttachGroupPolicy" and event.outcome == "success" | dissect aws.cloudtrail.request_parameters "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?groupName}=%{group.name}}" | where policyName == "AdministratorAccess" -| keep @timestamp, aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, event.action, policyName, group.name, user_agent.original, source.address, source.geo.location -| sort aws.cloudtrail.user_identity.arn ''' diff --git a/rules/integrations/aws/privilege_escalation_aws_iam_administratoraccess_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml similarity index 94% rename from rules/integrations/aws/privilege_escalation_aws_iam_administratoraccess_policy_attached_to_role.toml rename to rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml index 33fb26d55..315b25f19 100644 --- a/rules/integrations/aws/privilege_escalation_aws_iam_administratoraccess_policy_attached_to_role.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml @@ -2,8 +2,8 @@ creation_date = "2024/05/31" integration = ["aws"] maturity = "production" -updated_date = "2024/05/31" -min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully" +updated_date = "2024/07/05" +min_stack_comments = "ES|QL rule type in technical preview as of 8.13." min_stack_version = "8.13.0" [rule] @@ -20,7 +20,7 @@ false_positives = [ to attach the `AdministratorAccess` policy to the target role. """, ] -from = "now-10m" +from = "now-6m" language = "esql" license = "Elastic License v2" name = "AWS IAM AdministratorAccess Policy Attached to Role" @@ -103,8 +103,6 @@ from logs-aws.cloudtrail-* | where event.provider == "iam.amazonaws.com" and event.action == "AttachRolePolicy" and event.outcome == "success" | dissect aws.cloudtrail.request_parameters "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?roleName}=%{role.name}}" | where policyName == "AdministratorAccess" -| keep @timestamp, aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, event.action, policyName, role.name, user_agent.original, source.address, source.geo.location -| sort aws.cloudtrail.user_identity.arn ''' diff --git a/rules/integrations/aws/privilege_escalation_aws_iam_administratoraccess_policy_attached_to_user.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml similarity index 94% rename from rules/integrations/aws/privilege_escalation_aws_iam_administratoraccess_policy_attached_to_user.toml rename to rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml index 2fd2baff4..f1702a82a 100644 --- a/rules/integrations/aws/privilege_escalation_aws_iam_administratoraccess_policy_attached_to_user.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml @@ -2,8 +2,8 @@ creation_date = "2024/05/30" integration = ["aws"] maturity = "production" -updated_date = "2024/05/30" -min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully" +updated_date = "2024/07/05" +min_stack_comments = "ES|QL rule type in technical preview as of 8.13." min_stack_version = "8.13.0" [rule] @@ -20,7 +20,7 @@ false_positives = [ to attach the `AdministratorAccess` policy to the target user. """, ] -from = "now-10m" +from = "now-6m" language = "esql" license = "Elastic License v2" name = "AWS IAM AdministratorAccess Policy Attached to User" @@ -103,8 +103,6 @@ from logs-aws.cloudtrail-* | where event.provider == "iam.amazonaws.com" and event.action == "AttachUserPolicy" and event.outcome == "success" | dissect aws.cloudtrail.request_parameters "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?userName}=%{target.userName}}" | where policyName == "AdministratorAccess" -| keep @timestamp, aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, event.action, policyName, target.userName, user_agent.original, source.address, source.geo.location -| sort aws.cloudtrail.user_identity.arn '''