From f3d95cccce4f9e63f4171cb6cb01865cf84ffc26 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Tue, 16 Apr 2024 10:08:57 -0400 Subject: [PATCH] adjust aws rule index patterns and tags (#3595) (cherry picked from commit 74312797bfe371d20cedae05fe63d9b413d48f88) --- .../aws/collection_cloudtrail_logging_created.toml | 4 ++-- .../credential_access_aws_iam_assume_role_brute_force.toml | 4 ++-- .../aws/credential_access_iam_user_addition_to_group.toml | 4 ++-- ...tial_access_new_terms_secretsmanager_getsecretvalue.toml | 4 ++-- .../credential_access_root_console_failure_brute_force.toml | 4 ++-- .../aws/defense_evasion_cloudtrail_logging_deleted.toml | 4 ++-- .../aws/defense_evasion_cloudtrail_logging_suspended.toml | 4 ++-- .../aws/defense_evasion_cloudwatch_alarm_deletion.toml | 4 ++-- .../aws/defense_evasion_config_service_rule_deletion.toml | 4 ++-- .../aws/defense_evasion_configuration_recorder_stopped.toml | 4 ++-- .../aws/defense_evasion_ec2_flow_log_deletion.toml | 4 ++-- .../aws/defense_evasion_ec2_network_acl_deletion.toml | 4 ++-- ...defense_evasion_elasticache_security_group_creation.toml | 4 ++-- ...sion_elasticache_security_group_modified_or_deleted.toml | 4 ++-- ...nse_evasion_escalation_aws_suspicious_saml_activity.toml | 4 ++-- .../aws/defense_evasion_guardduty_detector_deletion.toml | 4 ++-- .../defense_evasion_s3_bucket_configuration_deletion.toml | 4 ++-- .../integrations/aws/defense_evasion_waf_acl_deletion.toml | 4 ++-- .../defense_evasion_waf_rule_or_rule_group_deletion.toml | 4 ++-- ...filtration_ec2_full_network_packet_capture_detected.toml | 4 ++-- .../aws/exfiltration_ec2_snapshot_change_activity.toml | 4 ++-- .../aws/exfiltration_ec2_vm_export_failure.toml | 5 +++-- .../integrations/aws/exfiltration_rds_snapshot_export.toml | 4 ++-- .../aws/exfiltration_rds_snapshot_restored.toml | 4 ++-- .../impact_aws_eventbridge_rule_disabled_or_deleted.toml | 4 ++-- .../integrations/aws/impact_cloudtrail_logging_updated.toml | 6 +++--- .../aws/impact_cloudwatch_log_group_deletion.toml | 6 +++--- .../aws/impact_cloudwatch_log_stream_deletion.toml | 5 +++-- .../integrations/aws/impact_ec2_disable_ebs_encryption.toml | 6 +++--- .../aws/impact_efs_filesystem_or_mount_deleted.toml | 4 ++-- .../integrations/aws/impact_iam_deactivate_mfa_device.toml | 6 +++--- rules/integrations/aws/impact_iam_group_deletion.toml | 6 +++--- .../impact_kms_cmk_disabled_or_scheduled_for_deletion.toml | 6 +++--- rules/integrations/aws/impact_rds_group_deletion.toml | 6 +++--- .../aws/impact_rds_instance_cluster_deletion.toml | 6 +++--- .../aws/impact_rds_instance_cluster_stoppage.toml | 6 +++--- .../integrations/aws/initial_access_console_login_root.toml | 5 +++-- .../integrations/aws/initial_access_password_recovery.toml | 6 +++--- .../integrations/aws/initial_access_via_system_manager.toml | 5 +++-- .../aws/persistence_ec2_network_acl_creation.toml | 6 +++--- ...e_ec2_security_group_configuration_change_detection.toml | 6 +++--- rules/integrations/aws/persistence_iam_group_creation.toml | 6 +++--- .../integrations/aws/persistence_rds_cluster_creation.toml | 6 +++--- rules/integrations/aws/persistence_rds_group_creation.toml | 6 +++--- .../integrations/aws/persistence_rds_instance_creation.toml | 6 +++--- .../aws/persistence_redshift_instance_creation.toml | 6 +++--- .../persistence_route_53_domain_transfer_lock_disabled.toml | 6 +++--- ...ence_route_53_domain_transferred_to_another_account.toml | 6 +++--- ...sistence_route_53_hosted_zone_associated_with_a_vpc.toml | 6 +++--- rules/integrations/aws/persistence_route_table_created.toml | 6 +++--- .../aws/persistence_route_table_modified_or_deleted.toml | 6 +++--- .../aws/privilege_escalation_root_login_without_mfa.toml | 5 +++-- .../aws/privilege_escalation_sts_assumerole_usage.toml | 6 +++--- .../aws/privilege_escalation_sts_getsessiontoken_abuse.toml | 6 +++--- .../aws/privilege_escalation_updateassumerolepolicy.toml | 5 +++-- 55 files changed, 140 insertions(+), 134 deletions(-) diff --git a/rules/integrations/aws/collection_cloudtrail_logging_created.toml b/rules/integrations/aws/collection_cloudtrail_logging_created.toml index 7c98b094c..3ecd07148 100644 --- a/rules/integrations/aws/collection_cloudtrail_logging_created.toml +++ b/rules/integrations/aws/collection_cloudtrail_logging_created.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" diff --git a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml index b3e6e7226..17ca61309 100644 --- a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml +++ b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2024/01/05" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ used to delegate access to users or services. An adversary may attempt to enumer role exists before attempting to assume or hijack the discovered role. """ from = "now-20m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" name = "AWS IAM Brute Force of Assume Role Policy" diff --git a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml index 57f07beba..18248e825 100644 --- a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" diff --git a/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml index 856c8b08c..6365cc34c 100644 --- a/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml +++ b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2024/03/07" +updated_date = "2024/04/14" [rule] author = ["Nick Jones", "Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws.cloudtrail*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" diff --git a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml index 6b1afc4d2..889e6d56a 100644 --- a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml +++ b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2024/01/05" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-20m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" name = "AWS Management Console Brute Force of Root User Identity" diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index 3b713f994..fab6ee327 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml index 4e64f98ed..6d1ee6ef2 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" diff --git a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml index e2421b561..3d5915bd6 100644 --- a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" diff --git a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml index ee935f6b6..451dda334 100644 --- a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" diff --git a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml index 4aa177260..cc02cd56a 100644 --- a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" diff --git a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml index c269e47f0..7f1090ef1 100644 --- a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" diff --git a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml index 666c41e15..1db8508a9 100644 --- a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml index 7a2f09090..5d5500605 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml index 95da9223e..bb65f1940 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" diff --git a/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml b/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml index 69f5076ed..2d034a9e7 100644 --- a/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml +++ b/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] @@ -17,7 +17,7 @@ false_positives = [ """, ] from = "now-25m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" name = "AWS SAML Activity" diff --git a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml index 8b68bb624..54e33b5a9 100644 --- a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml index 8183f3ce9..0777ffc65 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" diff --git a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml index 6e6392a63..749b42b06 100644 --- a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" diff --git a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index 5c4d59871..a83cccbfa 100644 --- a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" diff --git a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml index 057ad33b4..a305bc80d 100644 --- a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml +++ b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" diff --git a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml index 2446da3f1..24f65ef73 100644 --- a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml +++ b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" diff --git a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml index e086940ed..79bb43917 100644 --- a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml +++ b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml @@ -4,7 +4,8 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" + [rule] author = ["Elastic", "Austin Songer"] description = """ @@ -19,7 +20,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml index 02a64984f..e76a934dc 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -17,7 +17,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml index 19f25b6d0..8197da77b 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] @@ -20,7 +20,7 @@ false_positives = [ should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" name = "AWS RDS Snapshot Restored" diff --git a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml index 91440dc7b..6059acca4 100644 --- a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml +++ b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-20m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" name = "AWS EventBridge Rule Disabled or Deleted" diff --git a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml index eb570fcfa..aa38f0674 100644 --- a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -76,7 +76,7 @@ references = [ risk_score = 21 rule_id = "3e002465-876f-4f04-b016-84ef48ce7e5d" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Cloudtrail", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml index 064094c8e..35f56683f 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -81,7 +81,7 @@ references = [ risk_score = 47 rule_id = "68a7a5a5-a2fc-4a76-ba9f-26849de881b4" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS CloudWatch", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml index 83490a20d..f9f57c997 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -85,6 +85,7 @@ tags = [ "Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", + "Data Source: AWS CloudWatch", "Use Case: Log Auditing", "Tactic: Impact", "Resources: Investigation Guide", diff --git a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml index 4ddc1121c..efaedd396 100644 --- a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -36,7 +36,7 @@ references = [ risk_score = 47 rule_id = "bb9b13b2-1700-48a8-a750-b43b0a72ab69" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml index 5894cecae..7bfe24021 100644 --- a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml +++ b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" diff --git a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml index 9fab36a07..c908c752f 100644 --- a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -75,7 +75,7 @@ references = [ risk_score = 47 rule_id = "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Impact"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Resources: Investigation Guide", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_iam_group_deletion.toml b/rules/integrations/aws/impact_iam_group_deletion.toml index 4ab1bb5aa..6c8c05f71 100644 --- a/rules/integrations/aws/impact_iam_group_deletion.toml +++ b/rules/integrations/aws/impact_iam_group_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -35,7 +35,7 @@ references = [ risk_score = 21 rule_id = "867616ec-41e5-4edc-ada2-ab13ab45de8a" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml index e96b2938d..6eb74194e 100644 --- a/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml +++ b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Xavier Pich"] @@ -22,7 +22,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -37,7 +37,7 @@ references = [ risk_score = 47 rule_id = "6951f15e-533c-4a60-8014-a3c3ab851a1b" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Tactic: Impact"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS KMS", "Use Case: Log Auditing", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_rds_group_deletion.toml b/rules/integrations/aws/impact_rds_group_deletion.toml index 0b27d82f7..4f13ca6bb 100644 --- a/rules/integrations/aws/impact_rds_group_deletion.toml +++ b/rules/integrations/aws/impact_rds_group_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -30,7 +30,7 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Del risk_score = 21 rule_id = "863cdf31-7fd3-41cf-a185-681237ea277b" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml index 811f4578e..571098c77 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -39,7 +39,7 @@ references = [ risk_score = 47 rule_id = "9055ece6-2689-4224-a0e0-b04881e1f8ad" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Impact"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml index 77d9869c7..423869ff9 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -34,7 +34,7 @@ references = [ risk_score = 47 rule_id = "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d" severity = "medium" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Impact"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/initial_access_console_login_root.toml b/rules/integrations/aws/initial_access_console_login_root.toml index bd6a4d98d..e42fe045a 100644 --- a/rules/integrations/aws/initial_access_console_login_root.toml +++ b/rules/integrations/aws/initial_access_console_login_root.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -69,6 +69,7 @@ tags = [ "Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", + "Data Source: AWS Signin", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access" diff --git a/rules/integrations/aws/initial_access_password_recovery.toml b/rules/integrations/aws/initial_access_password_recovery.toml index 766eefcbe..05f43038b 100644 --- a/rules/integrations/aws/initial_access_password_recovery.toml +++ b/rules/integrations/aws/initial_access_password_recovery.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -32,7 +32,7 @@ references = ["https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/"] risk_score = 21 rule_id = "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Signin", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/initial_access_via_system_manager.toml b/rules/integrations/aws/initial_access_via_system_manager.toml index f3e72f174..378c45ce1 100644 --- a/rules/integrations/aws/initial_access_via_system_manager.toml +++ b/rules/integrations/aws/initial_access_via_system_manager.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -83,6 +83,7 @@ tags = [ "Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", + "Data Source: AWS SSM", "Use Case: Log Auditing", "Tactic: Initial Access", "Resources: Investigation Guide", diff --git a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml index 4ad3b0a44..2fd07cb29 100644 --- a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -37,7 +37,7 @@ references = [ risk_score = 21 rule_id = "39144f38-5284-4f8e-a2ae-e3fd628d90b0" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index 93a6aea90..70e77bbf7 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-30m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -33,7 +33,7 @@ references = ["https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-securi risk_score = 21 rule_id = "29052c19-ff3e-42fd-8363-7be14d7c5469" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_iam_group_creation.toml b/rules/integrations/aws/persistence_iam_group_creation.toml index b0c544fe5..c638a8967 100644 --- a/rules/integrations/aws/persistence_iam_group_creation.toml +++ b/rules/integrations/aws/persistence_iam_group_creation.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -35,7 +35,7 @@ references = [ risk_score = 21 rule_id = "169f3a93-efc7-4df2-94d6-0d9438c310d1" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Persistence"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_rds_cluster_creation.toml b/rules/integrations/aws/persistence_rds_cluster_creation.toml index cbdb569d2..840f8a3c2 100644 --- a/rules/integrations/aws/persistence_rds_cluster_creation.toml +++ b/rules/integrations/aws/persistence_rds_cluster_creation.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -37,7 +37,7 @@ references = [ risk_score = 21 rule_id = "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_rds_group_creation.toml b/rules/integrations/aws/persistence_rds_group_creation.toml index 52c0669cf..70265434c 100644 --- a/rules/integrations/aws/persistence_rds_group_creation.toml +++ b/rules/integrations/aws/persistence_rds_group_creation.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -17,7 +17,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -29,7 +29,7 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Cre risk_score = 21 rule_id = "378f9024-8a0c-46a5-aa08-ce147ac73a4e" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Persistence"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_rds_instance_creation.toml b/rules/integrations/aws/persistence_rds_instance_creation.toml index cec6b592e..bab383568 100644 --- a/rules/integrations/aws/persistence_rds_instance_creation.toml +++ b/rules/integrations/aws/persistence_rds_instance_creation.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -17,7 +17,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -29,7 +29,7 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Cre risk_score = 21 rule_id = "f30f3443-4fbb-4c27-ab89-c3ad49d62315" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_redshift_instance_creation.toml b/rules/integrations/aws/persistence_redshift_instance_creation.toml index b08243647..5160db70a 100644 --- a/rules/integrations/aws/persistence_redshift_instance_creation.toml +++ b/rules/integrations/aws/persistence_redshift_instance_creation.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -33,7 +33,7 @@ references = ["https://docs.aws.amazon.com/redshift/latest/APIReference/API_Crea risk_score = 21 rule_id = "015cca13-8832-49ac-a01b-a396114809f6" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Redshift", "Use Case: Asset Visibility", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml index 1e690fa56..4e065c4fa 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -35,7 +35,7 @@ references = [ risk_score = 21 rule_id = "12051077-0124-4394-9522-8f4f4db1d674" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Asset Visibility", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml index 61fffb6b3..166506aa7 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -30,7 +30,7 @@ references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Opera risk_score = 21 rule_id = "2045567e-b0af-444a-8c0b-0b6e2dae9e13" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Asset Visibility", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml index b00cafb0a..7b763c72d 100644 --- a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml +++ b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] @@ -17,7 +17,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -29,7 +29,7 @@ references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Assoc risk_score = 21 rule_id = "e3c27562-709a-42bd-82f2-3ed926cced19" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Asset Visibility", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml index a3107b252..b79c5f296 100644 --- a/rules/integrations/aws/persistence_route_table_created.toml +++ b/rules/integrations/aws/persistence_route_table_created.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -34,7 +34,7 @@ references = [ risk_score = 21 rule_id = "e12c0318-99b1-44f2-830c-3a38a43207ca" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Network Security Monitoring", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml index a1b287b2a..6f3cc8f42 100644 --- a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml +++ b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic", "Austin Songer"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -38,7 +38,7 @@ references = [ risk_score = 21 rule_id = "e7cd5982-17c8-4959-874c-633acde7d426" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Network Security Monitoring", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml index 67c7d630b..903cb9c1b 100644 --- a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -74,6 +74,7 @@ tags = [ "Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", + "Data Source: AWS Route53", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Privilege Escalation" diff --git a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml index 1a0318d5f..c81aedb04 100644 --- a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml +++ b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] @@ -13,7 +13,7 @@ Identifies the use of AssumeRole. AssumeRole returns a set of temporary security AWS resources. An adversary could use those credentials to move laterally and escalate privileges. """ false_positives = ["Automated processes that use Terraform may lead to false positives."] -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" name = "AWS Security Token Service (STS) AssumeRole Usage" @@ -24,7 +24,7 @@ references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRol risk_score = 21 rule_id = "93075852-b0f5-4b8b-89c3-a226efae5726" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml index 21023d227..48ce9ac22 100644 --- a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml +++ b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Austin Songer"] @@ -19,7 +19,7 @@ false_positives = [ be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" name = "AWS STS GetSessionToken Abuse" @@ -30,7 +30,7 @@ references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessio risk_score = 21 rule_id = "b45ab1d2-712f-4f01-a751-df3826969807" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml index dbc55b859..53313087b 100644 --- a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml +++ b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/04/14" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*", "logs-aws*"] +index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -75,6 +75,7 @@ tags = [ "Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", + "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Privilege Escalation"