sigma-rules

Files

T

Isai 90ee151bf0 [Tuning] AWS Access Token Used from Multiple Addresses (#5055 )

* [Tuning] AWS Access Token Used from Multiple Addresses

Tuning was triggered by a community member

- fixes wildcard and `Pulumi` typos to exclude common IaC tools
- adds exclusion for ``source.as.organization.name` == "AMAZON-02" and aws.cloudtrail.event_category == "Data"` to exclude the noisy multi-IP traffic coming from Amazon-02 networks performing high-throughput data-plane operations. I didn't exclude this network completely because this network can also indicate user-triggered events that are worth keeping in the alert.
- added additional high noise service providers that may be more indicative of console browsing
- added a field for pairing source.ip & network
- added highlighted fields

* Update rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml

* Update rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml

2025-09-11 17:43:12 -04:00

aws

[Tuning] AWS Access Token Used from Multiple Addresses (#5055 )

2025-09-11 17:43:12 -04:00

aws_bedrock

[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912 )

2025-08-05 19:35:41 -04:00

azure

Fix updated_date for tunings as part of #5079 (#5081 )

2025-09-10 22:05:36 +05:30

azure_openai

[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912 )