security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5ff3844fbe4e3668207019049244090d162f50d0
sigma-rules/rules/integrations/aws
T
History
Jonhnathan d854b943e5 [Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104) 
* [Security Content] Add Investigation Guides to Cloud Rules - AWS

* Apply suggestion from review

* Update rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Apply suggestions from review

* Apply suggestions from code review

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* .

* Applies suggestions from the https://github.com/elastic/detection-rules/pull/2124 PR

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
2022-07-20 12:28:58 -03:00
..
collection_cloudtrail_logging_created.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
credential_access_aws_iam_assume_role_brute_force.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
credential_access_iam_user_addition_to_group.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
credential_access_root_console_failure_brute_force.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
credential_access_secretsmanager_getsecretvalue.toml
[Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104)
2022-07-20 12:28:58 -03:00
defense_evasion_cloudtrail_logging_deleted.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
defense_evasion_cloudtrail_logging_suspended.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
defense_evasion_cloudwatch_alarm_deletion.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
defense_evasion_config_service_rule_deletion.toml
[Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104)
2022-07-20 12:28:58 -03:00
defense_evasion_configuration_recorder_stopped.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
defense_evasion_ec2_flow_log_deletion.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
defense_evasion_ec2_network_acl_deletion.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
defense_evasion_elasticache_security_group_creation.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
defense_evasion_elasticache_security_group_modified_or_deleted.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
defense_evasion_guardduty_detector_deletion.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
defense_evasion_s3_bucket_configuration_deletion.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
defense_evasion_waf_acl_deletion.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
defense_evasion_waf_rule_or_rule_group_deletion.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
exfiltration_ec2_full_network_packet_capture_detected.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
exfiltration_ec2_snapshot_change_activity.toml
[Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104)
2022-07-20 12:28:58 -03:00
exfiltration_ec2_vm_export_failure.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
exfiltration_rds_snapshot_export.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
exfiltration_rds_snapshot_restored.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
impact_aws_eventbridge_rule_disabled_or_deleted.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
impact_cloudtrail_logging_updated.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
impact_cloudwatch_log_group_deletion.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
impact_cloudwatch_log_stream_deletion.toml
[Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104)
2022-07-20 12:28:58 -03:00
impact_ec2_disable_ebs_encryption.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
impact_efs_filesystem_or_mount_deleted.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
impact_iam_deactivate_mfa_device.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
impact_iam_group_deletion.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
impact_rds_group_deletion.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
impact_rds_instance_cluster_deletion.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
impact_rds_instance_cluster_stoppage.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
initial_access_console_login_root.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
initial_access_password_recovery.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
initial_access_via_system_manager.toml
[Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104)
2022-07-20 12:28:58 -03:00
ml_cloudtrail_error_message_spike.toml
[Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104)
2022-07-20 12:28:58 -03:00
ml_cloudtrail_rare_error_code.toml
[Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104)
2022-07-20 12:28:58 -03:00
ml_cloudtrail_rare_method_by_city.toml
[Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104)
2022-07-20 12:28:58 -03:00
ml_cloudtrail_rare_method_by_country.toml
[Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104)
2022-07-20 12:28:58 -03:00
ml_cloudtrail_rare_method_by_user.toml
[Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104)
2022-07-20 12:28:58 -03:00
NOTICE.txt
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 15:24:56 -06:00
persistence_ec2_network_acl_creation.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
persistence_ec2_security_group_configuration_change_detection.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
persistence_iam_group_creation.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
persistence_rds_cluster_creation.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
persistence_rds_group_creation.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
persistence_rds_instance_creation.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
persistence_redshift_instance_creation.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
persistence_route_53_domain_transfer_lock_disabled.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
persistence_route_53_domain_transferred_to_another_account.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
persistence_route_53_hosted_zone_associated_with_a_vpc.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
persistence_route_table_created.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
persistence_route_table_modified_or_deleted.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
privilege_escalation_aws_suspicious_saml_activity.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
privilege_escalation_root_login_without_mfa.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
privilege_escalation_sts_assumerole_usage.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
privilege_escalation_sts_getsessiontoken_abuse.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00
privilege_escalation_updateassumerolepolicy.toml
2058 add setup field to metadata (#2061)
2022-07-18 15:41:32 -04:00