Isai 4d89eab189 [Rule Tuning] AWS S3 Bucket Server Access Logging Disabled (#5254) ...

#### AWS S3 Bucket Server Access Logging Disabled
Rule is triggering as expected with low telemetry
- removed `any` from EQL query by replacing event category field with `event.type` as this is mapped for the API action `PutBucketLogging`
- added `event.provider` as part of query
- updated Investigation guide
- Added highlighted fields

2025-11-10 11:36:55 -05:00

..

collection_cloudtrail_logging_created.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

collection_s3_unauthenticated_bucket_access_by_rare_source.toml

[Tuning] AWS S3 Unauthenticated Bucket Access by Rare Source (#5075)

2025-09-11 17:13:41 -04:00

credential_access_aws_getpassword_for_ec2_instance.toml

[Rule Tuning] AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role (#4774)

2025-06-06 15:08:48 -04:00

credential_access_aws_iam_assume_role_brute_force.toml

Back-porting Version Trimming (#3704)

2024-05-23 00:45:10 +05:30

credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

credential_access_iam_user_addition_to_group.toml

Back-porting Version Trimming (#3704)

2024-05-23 00:45:10 +05:30

credential_access_new_terms_secretsmanager_getsecretvalue.toml

[Rule Tuning] First Time Seen AWS Secret Value Accessed in Secrets Manager (#4992)

2025-08-25 12:00:47 -04:00

credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml

Replace master doc URLs with current (#4439)

2025-02-03 21:27:50 +05:30

credential_access_retrieve_secure_string_parameters_via_ssm.toml

[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)

2025-07-18 19:15:36 -04:00

credential_access_root_console_failure_brute_force.toml

[Rule Tuning][Deprecation] AWS Root Console Login Rules (#5201)

2025-10-15 14:16:02 -04:00

defense_evasion_cloudtrail_logging_deleted.toml

[Rule Tuning] Add Investigation Fields to Specific AWS Rules (#4261)

2024-11-08 23:11:18 -05:00

defense_evasion_cloudtrail_logging_evasion.toml

[New Rule] AWS CloudTrail Log Evasion (#4788)

2025-06-17 13:58:26 -04:00

defense_evasion_cloudtrail_logging_suspended.toml

Back-porting Version Trimming (#3704)

2024-05-23 00:45:10 +05:30

defense_evasion_cloudwatch_alarm_deletion.toml

Back-porting Version Trimming (#3704)

2024-05-23 00:45:10 +05:30

defense_evasion_config_service_rule_deletion.toml

Back-porting Version Trimming (#3704)

2024-05-23 00:45:10 +05:30

defense_evasion_configuration_recorder_stopped.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

defense_evasion_ec2_flow_log_deletion.toml

[Rule Tunings] AWS EC2 Flow Log Deletion and Network ACL Activity (#4778)

2025-06-06 14:11:54 -04:00

defense_evasion_ec2_network_acl_deletion.toml

[Rule Tunings] AWS EC2 Flow Log Deletion and Network ACL Activity (#4778)

2025-06-06 14:11:54 -04:00

defense_evasion_elasticache_security_group_creation.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

defense_evasion_elasticache_security_group_modified_or_deleted.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

defense_evasion_guardduty_detector_deletion.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

defense_evasion_rds_instance_restored.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

defense_evasion_route53_dns_query_resolver_config_deletion.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

defense_evasion_s3_bucket_configuration_deletion.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

defense_evasion_s3_bucket_lifecycle_expiration_added.toml

[Rule Tuning] AWS S3 Bucket Expiration Lifecycle Configuration Added (#5251)

2025-11-10 11:25:06 -05:00

defense_evasion_s3_bucket_server_access_logging_disabled.toml

[Rule Tuning] AWS S3 Bucket Server Access Logging Disabled (#5254)

2025-11-10 11:36:55 -05:00

defense_evasion_sqs_purge_queue.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

defense_evasion_sts_get_federation_token.toml

[Tuning] First Occurrence of STS GetFederationToken Request by User (#5007)

2025-08-29 13:08:59 -04:00

defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml

[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)

2025-07-18 19:15:36 -04:00

defense_evasion_waf_acl_deletion.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

defense_evasion_waf_rule_or_rule_group_deletion.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

discovery_ec2_deprecated_ami_discovery.toml

[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)

2025-07-18 19:15:36 -04:00

discovery_ec2_multi_region_describe_instances.toml

[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)

2025-08-05 19:35:41 -04:00

discovery_ec2_multiple_discovery_api_calls_via_cli.toml

[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)

2025-08-05 19:35:41 -04:00

discovery_ec2_userdata_request_for_ec2_instance.toml

[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)

2025-07-18 19:15:36 -04:00

discovery_new_terms_sts_getcalleridentity.toml

[Rule Tuning] AWS STS GetCallerIdentity API Called for the First Time (#4995)

2025-08-25 11:44:58 -04:00

discovery_servicequotas_multi_region_service_quota_requests.toml

[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)

2025-08-05 19:35:41 -04:00

execution_lambda_external_layer_added_to_function.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

execution_new_terms_cloudformation_createstack.toml

[Tuning] First Time AWS Cloudformation Stack Creation by User (#5036)

2025-08-29 12:36:21 -04:00

execution_ssm_command_document_created_by_rare_user.toml

[Rule Tunings] AWS SSM Command Document Created by Rare User (#4848)

2025-06-27 13:24:27 -04:00

execution_ssm_sendcommand_by_rare_user.toml

[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)

2025-07-18 19:15:36 -04:00

exfiltration_dynamodb_scan_by_unusual_user.toml

[Rule Tunings] AWS DynamoDB new terms Rules (#5074)

2025-09-11 16:59:39 -04:00

exfiltration_dynamodb_table_exported_to_s3.toml

[Rule Tunings] AWS DynamoDB new terms Rules (#5074)

2025-09-11 16:59:39 -04:00

exfiltration_ec2_ami_shared_with_separate_account.toml

[Rule Tuning] AWS EC2 AMI Shared with Another Account (#4914)

2025-07-21 10:12:13 +05:30

exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml

[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)

2025-08-05 19:35:41 -04:00

exfiltration_ec2_export_task.toml

[New Rule][Deprecation] AWS EC2 Export Task Rules (#5248)

2025-11-10 11:15:13 -05:00

exfiltration_ec2_full_network_packet_capture_detected.toml

[Rule Tuning] AWS EC2 Full Network Packet Capture Detected (#5244)

2025-11-10 10:49:17 -05:00

exfiltration_ec2_vm_export_failure.toml

[New Rule][Deprecation] AWS EC2 Export Task Rules (#5248)

2025-11-10 11:15:13 -05:00

exfiltration_rds_snapshot_export.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

exfiltration_rds_snapshot_shared_with_another_account.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

exfiltration_s3_bucket_policy_added_for_external_account_access.toml

[Rule Tuning][New Rule] AWS S3 Bucket Policy Added to Share with External Account/ to Allow Public Access (#5268)

2025-11-07 16:25:05 -05:00

exfiltration_s3_bucket_policy_added_for_public_access.toml

[Rule Tuning][New Rule] AWS S3 Bucket Policy Added to Share with External Account/ to Allow Public Access (#5268)

2025-11-07 16:25:05 -05:00

exfiltration_s3_bucket_replicated_to_external_account.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

exfiltration_sns_rare_protocol_subscription_by_user.toml

[Rule Tunings] AWS SNS new Terms rules (#5082)

2025-09-11 17:25:04 -04:00

impact_aws_eventbridge_rule_disabled_or_deleted.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

impact_aws_s3_bucket_enumeration_or_brute_force.toml

[Rule Tuning] AWS S3 Bucket Enumeration or Brute Force (#5173)

2025-10-06 11:53:41 -04:00

impact_cloudtrail_logging_updated.toml

Back-porting Version Trimming (#3704)

2024-05-23 00:45:10 +05:30

impact_cloudwatch_log_group_deletion.toml

Back-porting Version Trimming (#3704)

2024-05-23 00:45:10 +05:30

impact_cloudwatch_log_stream_deletion.toml

Back-porting Version Trimming (#3704)

2024-05-23 00:45:10 +05:30

impact_ec2_disable_ebs_encryption.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

impact_ec2_ebs_snapshot_access_removed.toml

[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)

2025-08-05 19:35:41 -04:00

impact_efs_filesystem_or_mount_deleted.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

impact_iam_deactivate_mfa_device.toml

[New Rule] AWS STS AssumeRole with New MFA Device [Rule Tuning] AWS IAM Deactivation of MFA Device (#4210)

2024-11-05 02:09:05 -05:00

impact_iam_group_deletion.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

impact_kms_cmk_disabled_or_scheduled_for_deletion.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

impact_rds_group_deletion.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

impact_rds_instance_cluster_deletion_protection_disabled.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

impact_rds_instance_cluster_deletion.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

impact_rds_instance_cluster_stoppage.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

impact_rds_snapshot_deleted.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

impact_s3_bucket_object_uploaded_with_ransom_extension.toml

[Rule Tuning] Potential AWS S3 Bucket Ransomware Note Uploaded (#5149)

2025-10-06 10:33:51 -04:00

impact_s3_excessive_object_encryption_with_sse_c.toml

[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)

2025-07-18 19:15:36 -04:00

impact_s3_object_encryption_with_external_key.toml

[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)

2025-08-05 19:35:41 -04:00

impact_s3_object_versioning_disabled.toml

[Rule Tuning] AWS S3 Object Versioning Suspended (#5261)

2025-11-07 17:09:24 -05:00

impact_s3_static_site_js_file_uploaded.toml

[Rule Tuning] AWS S3 Static Site Javascript File Uploaded (#5264)

2025-11-07 17:00:56 -05:00

impact_s3_unusual_object_encryption_with_sse_c.toml

[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)

2025-07-18 19:15:36 -04:00

initial_access_console_login_root.toml

[Rule Tuning][Deprecation] AWS Root Console Login Rules (#5201)

2025-10-15 14:16:02 -04:00

initial_access_iam_session_token_used_from_multiple_addresses.toml

[Tuning] AWS Access Token Used from Multiple Addresses (#5055)

2025-09-11 17:43:12 -04:00

initial_access_kali_user_agent_detected_with_aws_cli.toml

[New Rule] Adding Coverage for AWS CLI with Kali Linux Fingerprint Identified (#4625)

2025-04-21 12:06:57 -04:00

initial_access_password_recovery.toml

[Rule Tunings] AWS Root Access Rules (#5218)

2025-10-15 13:58:32 -04:00

initial_access_signin_console_login_federated_user.toml

[Rule Tuning][New BBR Rule] AWS Sign-In Token Creation and Console Login (#5197)

2025-10-16 12:47:30 -04:00

lateral_movement_aws_ssm_start_session_to_ec2_instance.toml

[Rule Tuning] SSM Session Started to EC2 Instance (#5068)

2025-09-11 15:54:31 -04:00

lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml

[Rule Tuning] AWS EC2 Instance Connect SSH Public Key Uploaded (#5069)

2025-09-11 16:37:39 -04:00

lateral_movement_ec2_instance_console_login.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

lateral_movement_sns_topic_message_publish_by_rare_user.toml

[Rule Tunings] AWS SNS new Terms rules (#5082)

2025-09-11 17:25:04 -04:00

ml_cloudtrail_error_message_spike.toml

Adding setup templates to the ML rules (#3798)

2024-06-19 10:04:41 -04:00

ml_cloudtrail_rare_error_code.toml

Adding setup templates to the ML rules (#3798)

2024-06-19 10:04:41 -04:00

ml_cloudtrail_rare_method_by_city.toml

Adding setup templates to the ML rules (#3798)

2024-06-19 10:04:41 -04:00

ml_cloudtrail_rare_method_by_country.toml

Adding setup templates to the ML rules (#3798)

2024-06-19 10:04:41 -04:00

ml_cloudtrail_rare_method_by_user.toml

Adding setup templates to the ML rules (#3798)

2024-06-19 10:04:41 -04:00

NOTICE.txt

[Fleet] Track integrations in folder and metadata (#1372)

2021-07-21 15:24:56 -06:00

persistence_aws_attempt_to_register_virtual_mfa_device.toml

[New Rule] Adding Coverage for AWS IAM Virtual MFA Device Registration (#4626)

2025-04-21 11:02:14 -04:00

persistence_ec2_network_acl_creation.toml

[Rule Tunings] AWS EC2 Flow Log Deletion and Network ACL Activity (#4778)

2025-06-06 14:11:54 -04:00

persistence_ec2_route_table_modified_or_deleted.toml

[Rule Tunings] AWS Route Table Created / AWS EC2 Route Table Modified or Deleted (#5064)

2025-09-11 15:35:16 -04:00

persistence_ec2_security_group_configuration_change_detection.toml

[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)

2025-07-18 19:15:36 -04:00

persistence_iam_api_calls_via_user_session_token.toml

[Rule Tuning] AWS IAM API Calls via Temporary Session Tokens (#4901)

2025-07-15 19:13:16 -04:00

persistence_iam_create_login_profile_for_root.toml

[Rule Tunings] AWS Root Access Rules (#5218)

2025-10-15 13:58:32 -04:00

persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml

[Tuning] AWS IAM Create User via Assumed Role on EC2 Instance (#5063)

2025-09-11 15:11:40 -04:00

persistence_iam_group_creation.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

persistence_iam_roles_anywhere_profile_created.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

persistence_iam_user_created_access_keys_for_another_user.toml

[Rule Tuning] AWS User Created Access Keys For Another User (#5212)

2025-10-16 12:57:57 -04:00

persistence_lambda_backdoor_invoke_function_for_any_principal.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

persistence_rds_cluster_creation.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

persistence_rds_db_instance_password_modified.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

persistence_rds_group_creation.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

persistence_rds_instance_creation.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

persistence_rds_instance_made_public.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

persistence_redshift_instance_creation.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

persistence_route_53_domain_transfer_lock_disabled.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

persistence_route_53_domain_transferred_to_another_account.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

persistence_route_53_hosted_zone_associated_with_a_vpc.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

persistence_route_table_created.toml

[Rule Tunings] AWS Route Table Created / AWS EC2 Route Table Modified or Deleted (#5064)

2025-09-11 15:35:16 -04:00

persistence_sts_assume_role_with_new_mfa.toml

[Rule Tuning] AWS STS AssumeRole with New MFA Device (#4999)

2025-08-22 14:48:39 -04:00

privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml

[Rule Tunings] AWS IAM Administrator Access Policy Attached to Group/Role/User (#5215)

2025-10-16 12:22:56 -04:00

privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml

[Rule Tunings] AWS IAM Administrator Access Policy Attached to Group/Role/User (#5215)

2025-10-16 12:22:56 -04:00

privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml

[Rule Tunings] AWS IAM Administrator Access Policy Attached to Group/Role/User (#5215)

2025-10-16 12:22:56 -04:00

privilege_escalation_iam_customer_managed_policy_attached_to_role.toml

Prep 9.2 (#5231)

2025-10-17 21:01:13 +05:30

privilege_escalation_iam_saml_provider_updated.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

privilege_escalation_iam_update_assume_role_policy.toml

Prep 9.2 (#5231)

2025-10-17 21:01:13 +05:30

privilege_escalation_role_assumption_by_service.toml

[Rule Tunings] AWS Role Assumption By Service / User (#4827)

2025-06-24 18:07:18 -04:00

privilege_escalation_role_assumption_by_user.toml

[Rule Tunings] AWS Role Assumption By Service / User (#4827)

2025-06-24 18:07:18 -04:00

privilege_escalation_root_login_without_mfa.toml

[Rule Tuning][Deprecation] AWS Root Console Login Rules (#5201)

2025-10-15 14:16:02 -04:00

privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

privilege_escalation_sts_getsessiontoken_abuse.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

privilege_escalation_sts_role_chaining.toml

Update privilege_escalation_sts_role_chaining.toml (#5180)

2025-10-06 11:29:41 -04:00

resource_development_sns_topic_created_by_rare_user.toml

[Rule Tunings] AWS SNS new Terms rules (#5082)

2025-09-11 17:25:04 -04:00