* [Rule Tuning] Potential AWS S3 Bucket Ransomware Note Uploaded
This rule was very loud in telemetry since it's last tuning. ~8,938 alerts in last 24 hours. All false positives due to regex pattern matches for file names like `enc` as part of /filetransfertmsadherence/ and absence/; `lock` as part of citations-blocks/.
I've reworked this rule based on more research into common ransom note file name keywords and replaced the list here with the most common keywords. For `file` (the most common) and `back`, I was still seeing false positives so decided to alert on a combination of either or these 2 words in conjunction with any of the other words from the list. I also changed the regex to be case-insensitive.
With this new query, I see only true positive results within the last year all from known testing events.
I changed the toml file name so the rule looks new but it is just tuned.
I've updated the description and investigation guide, and added the study I used as a reference: https://www.mdpi.com/2073-431X/10/11/145#computers-10-00145-f002
Test data is in our stack, script for executing is here:
Screenshot of new working query in our test stack
* Apply suggestions from code review
* removing redundany regex pattern
Isai
1c59a6adde