sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Author	SHA1	Message	Date
Isai	3ff5f6ba72	[Rule Tunings] AWS RDS Rules (#5366 ) * [Rule Tunings] AWS RDS Rules #### AWS RDS DB Instance Made Public - updated description and investigation guide - added highlighted fields #### AWS RDS DB Instance or Cluster Deletion Protection Disabled - updated description and investigation guide - added highlighted fields #### AWS RDS Snapshot Deleted - excluded `backup.amazonaws.com` as this is expected behavior. This exclusion reduces noise in telemetry by ~77% - updated description and investigation guide - added highlighted fields #### AWS Deletion of RDS Instance or Cluster > AWS RDS DB Instance or Cluster Deleted - reduced execution window - slight name change to align with other rules - updated description and investigation guide - added highlighted fields #### AWS RDS DB Instance Restored - `event.type` used for `event_category_override` because event.category is not mapped for these API calls - updated description and investigation guide - added highlighted fields #### AWS RDS DB Instance or Cluster Password Modified - `event.type` used for `event_category_override` because event.category is not mapped for these API calls - updated description and investigation guide - added highlighted fields #### AWS RDS Snapshot Export - reduced execution window - updated mitre mapping - updated description and investigation guide - added highlighted fields * rule type change from eql to kql changing rule type to kql since there's not eql specific functions needed for the query	2025-12-02 17:35:36 -05:00
Mika Ayenson	fe8c81d762	[FR] Generate investigation guides (#4358 )	2025-01-22 11:17:38 -06:00
Isai	f62644887e	[Rule Tuning] AWS RDS Snapshot Restored (#3809 ) * [Tuning] AWS RDS Instance Restored -name and description change to better describe behavior - rule file name changed to match tactic - query change to add coverage for restore from S3 - rule type changed to eql - subtechnique added for creaing instance - tag added for RDS datasource - Investigation Guide added * Update defense_evasion_rds_instance_restored.toml * Update defense_evasion_rds_instance_restored.toml * removed investigation guide place holder * deprecated old rule because of name change * change rule_id * Revert "change rule_id" This reverts commit 0764c932f412439319e2d15a6bd80c360cf3fdc2. * Revert "deprecated old rule because of name change" This reverts commit fd62673380b40ba9ee432a271da3a8c5374e7129.	2024-06-28 20:42:36 -04:00

Author

SHA1

Message

Date

Isai

3ff5f6ba72

[Rule Tunings] AWS RDS Rules (#5366 )

* [Rule Tunings] AWS RDS Rules

#### AWS RDS DB Instance Made Public
- updated description and investigation guide
- added highlighted fields

#### AWS RDS DB Instance or Cluster Deletion Protection Disabled
- updated description and investigation guide
- added highlighted fields

#### AWS RDS Snapshot Deleted
- excluded `backup.amazonaws.com` as this is expected behavior. This exclusion reduces noise in telemetry by ~77%
- updated description and investigation guide
- added highlighted fields

#### AWS Deletion of RDS Instance or Cluster > AWS RDS DB Instance or Cluster Deleted
- reduced execution window
- slight name change to align with other rules
- updated description and investigation guide
- added highlighted fields

#### AWS RDS DB Instance Restored
- `event.type` used for `event_category_override` because event.category is not mapped for these API calls
- updated description and investigation guide
- added highlighted fields

#### AWS RDS DB Instance or Cluster Password Modified
- `event.type` used for `event_category_override` because event.category is not mapped for these API calls
- updated description and investigation guide
- added highlighted fields

#### AWS RDS Snapshot Export
- reduced execution window
- updated mitre mapping
- updated description and investigation guide
- added highlighted fields

* rule type change from eql to kql

changing rule type to kql since there's not eql specific functions needed for the query

2025-12-02 17:35:36 -05:00

Mika Ayenson

fe8c81d762

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

Isai

f62644887e

[Rule Tuning] AWS RDS Snapshot Restored (#3809 )

* [Tuning] AWS RDS Instance Restored

-name and description change to better describe behavior
- rule file name changed to match tactic
- query change to add coverage for restore from S3
- rule type changed to eql
- subtechnique added for creaing instance
- tag added for RDS datasource
- Investigation Guide added

* Update defense_evasion_rds_instance_restored.toml

* Update defense_evasion_rds_instance_restored.toml

* removed investigation guide place holder

* deprecated old rule because of name change

* change rule_id

* Revert "change rule_id"

This reverts commit 0764c932f412439319e2d15a6bd80c360cf3fdc2.

* Revert "deprecated old rule because of name change"

This reverts commit fd62673380b40ba9ee432a271da3a8c5374e7129.

2024-06-28 20:42:36 -04:00

3 Commits