sigma-rules

Files

T

Samirbous 250ad4a8eb [New] Diverse AWS rules (#5913 )

* [New] Diverse AWS Rules

- AWS EC2 Role GetCallerIdentity from New Source AS Organization
- AWS CloudTrail API Request with TruffleHog User Agent

* Create discovery_new_terms_vpn_asn_discovery_api_calls.toml

* ++

* Update discovery_new_terms_sts_getcalleridentity_ec2_role_new_source_as.toml

* Update discovery_new_terms_vpn_asn_discovery_api_calls.toml

* Delete initial_access_aws_cloudtrail_trufflehog_user_agent.toml

* Update discovery_new_terms_vpn_asn_discovery_api_calls.toml

* Apply suggestion from @terrancedejesus

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Apply suggestion from @terrancedejesus

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Apply suggestion from @terrancedejesus

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Revert "++"

This reverts commit fbb69afa95f39d3bf83acf3aca601cc40fc98ea1.

* Update discovery_new_terms_sts_getcalleridentity_ec2_role_new_source_as.toml

* Update discovery_new_terms_sts_getcalleridentity_ec2_role_new_source_as.toml

* Update discovery_new_terms_sts_getcalleridentity_ec2_role_new_source_as.toml

* ++

* ++

* Update discovery_new_terms_vpn_asn_discovery_api_calls.toml

* ++

* ++

* ++

* ++

* Update execution_ec2_stop_start_with_user_data_modification.toml

* Update execution_ec2_stop_start_with_user_data_modification.toml

* Update execution_aws_ssm_session_manager_child_process.toml

* Update execution_aws_ssm_session_manager_child_process.toml

* Update execution_aws_ssm_session_manager_child_process.toml

* ++

* ++

* ++

* ++

* ++

* ++

* Update defense_evasion_kms_key_policy_put.toml

* Rename defense_evasion_kms_key_policy_put.toml to privilege_escalation_kms_key_policy_put.toml

* Update privilege_escalation_iam_customer_managed_policy_version_created_or_set_default.toml

* Update discovery_new_terms_sts_getcalleridentity_ec2_role_new_source_as.toml

* Delete rules/integrations/aws/discovery_new_terms_ec2_describe_instance_userdata_unusual_context.toml

similar rule exist

* Update discovery_new_terms_vpn_asn_discovery_api_calls.toml

* Apply suggestion from @imays11

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Apply suggestion from @imays11

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update persistence_new_terms_ec2_create_keypair_unusual_source_as.toml

* Update privilege_escalation_kms_key_policy_put.toml

* Update privilege_escalation_iam_customer_managed_policy_version_created_or_set_default.toml

* Update persistence_new_terms_ec2_create_keypair_unusual_source_as.toml

* Update execution_aws_ssm_session_manager_child_process.toml

* Update rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_version_created_or_set_default.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/aws/execution_ec2_stop_start_with_user_data_modification.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update privilege_escalation_iam_privilege_operations_via_lambda_execution_role.toml

* Apply suggestion from @imays11

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update execution_ec2_stop_start_with_user_data_modification.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

2026-05-01 21:57:28 +01:00

collection_cloudtrail_logging_created.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

collection_s3_unauthenticated_bucket_access_by_rare_source.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

credential_access_aws_getpassword_for_ec2_instance.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

credential_access_iam_long_term_access_key_correlated_with_elevated_detection_alerts.toml

[New Rules] AWS IAM Long-Term Creds Abuse Coverage (#5924 )

2026-04-06 15:14:59 -04:00

credential_access_iam_long_term_access_key_first_seen_from_source_ip.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

credential_access_iam_user_addition_to_group.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

credential_access_new_terms_secretsmanager_getsecretvalue.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

credential_access_retrieve_secure_string_parameters_via_ssm.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

credential_access_root_console_failure_brute_force.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

defense_evasion_cloudtrail_logging_deleted.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

defense_evasion_cloudtrail_logging_evasion.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

defense_evasion_cloudtrail_logging_suspended.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

defense_evasion_cloudwatch_alarm_deletion.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

defense_evasion_config_service_rule_deletion.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

defense_evasion_configuration_recorder_stopped.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

defense_evasion_ec2_flow_log_deletion.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

defense_evasion_ec2_network_acl_deletion.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

defense_evasion_ec2_serial_console_access_enabled.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

defense_evasion_guardduty_detector_deletion.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

defense_evasion_guardduty_member_manipulation.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

defense_evasion_rds_instance_restored.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

defense_evasion_route53_dns_query_resolver_config_deletion.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

defense_evasion_s3_bucket_configuration_deletion.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

defense_evasion_s3_bucket_lifecycle_expiration_added.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

defense_evasion_s3_bucket_server_access_logging_disabled.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

defense_evasion_sqs_purge_queue.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

defense_evasion_sts_get_federation_token.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

defense_evasion_waf_acl_deletion.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

defense_evasion_waf_rule_or_rule_group_deletion.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

discovery_ec2_deprecated_ami_discovery.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

discovery_ec2_userdata_request_for_ec2_instance.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

discovery_iam_principal_enumeration_via_update_assume_role_policy.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

discovery_multiple_discovery_api_calls_via_cli.toml

[Rule Tunings] AWS ESQL keep fields missing (#6014 )

2026-05-01 15:43:38 -04:00

discovery_new_terms_sts_getcalleridentity_ec2_role_new_source_as.toml

[New] Diverse AWS rules (#5913 )

2026-05-01 21:57:28 +01:00

discovery_new_terms_sts_getcalleridentity.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

discovery_new_terms_vpn_asn_discovery_api_calls.toml

[New] Diverse AWS rules (#5913 )

2026-05-01 21:57:28 +01:00

discovery_organization_discovery_by_rare_user.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

discovery_s3_rapid_bucket_posture_api_calls.toml

[Rule Tunings] AWS ESQL keep fields missing (#6014 )

2026-05-01 15:43:38 -04:00

discovery_servicequotas_multi_region_service_quota_requests.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

discovery_ssm_inventory_reconnaissance.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

execution_cloudshell_environment_created.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

execution_ec2_stop_start_with_user_data_modification.toml

[New] Diverse AWS rules (#5913 )

2026-05-01 21:57:28 +01:00

execution_lambda_external_layer_added_to_function.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

execution_new_terms_cloudformation_createstack.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

execution_ssm_command_document_created_by_rare_user.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

execution_ssm_sendcommand_by_rare_user.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

exfiltration_dynamodb_scan_by_unusual_user.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

exfiltration_dynamodb_table_exported_to_s3.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

exfiltration_ec2_ami_shared_with_separate_account.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

exfiltration_ec2_export_task.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

exfiltration_ec2_full_network_packet_capture_detected.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

exfiltration_rds_snapshot_export.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

exfiltration_rds_snapshot_shared_with_another_account.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

exfiltration_s3_bucket_policy_added_for_external_account_access.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

exfiltration_s3_bucket_policy_added_for_public_access.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

exfiltration_s3_bucket_replicated_to_external_account.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

exfiltration_s3_uncommon_client_user_agent.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

exfiltration_sns_rare_protocol_subscription_by_user.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

impact_aws_eventbridge_rule_disabled_or_deleted.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

impact_aws_s3_bucket_enumeration_or_brute_force.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

impact_cloudtrail_logging_updated.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

impact_cloudwatch_log_group_deletion.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

impact_cloudwatch_log_stream_deletion.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

impact_ec2_disable_ebs_encryption.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

impact_ec2_ebs_snapshot_access_removed.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

impact_efs_filesystem_deleted.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

impact_iam_deactivate_mfa_device.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

impact_iam_group_deletion.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

impact_kms_cmk_disabled_or_scheduled_for_deletion.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

impact_rds_instance_cluster_deletion_protection_disabled.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

impact_rds_instance_cluster_deletion.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

impact_rds_snapshot_deleted.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

impact_s3_bucket_object_uploaded_with_ransom_keyword.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

impact_s3_excessive_object_encryption_with_sse_c.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

impact_s3_object_encryption_with_external_key.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

impact_s3_object_versioning_disabled.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

impact_s3_static_site_js_file_uploaded.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

impact_s3_unusual_object_encryption_with_sse_c.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

initial_access_assume_role_with_web_identity_kubernetes_sa_from_external_asn.toml

[New] AWS Lateral Movement via Kubernetes SA (#5959 )

2026-05-01 12:10:55 +01:00

initial_access_aws_api_unusual_asn.toml

[New] AWS Rare Source AS Organization Activity (#5957 )

2026-04-22 23:00:57 +05:30

initial_access_console_login_root.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

initial_access_github_actions_oidc_credentials_used_from_suspicious_network.toml

[New] AWS Credentials Used from GitHub Actions and Non-CI/CD Infra (#5956 )

2026-04-22 23:15:55 +05:30

initial_access_iam_session_token_used_from_multiple_addresses.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

initial_access_password_recovery.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

initial_access_signin_console_login_federated_user.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

initial_access_suspicious_user_agent_detected_in_cloudtrail.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

lateral_movement_aws_ssm_start_session_to_ec2_instance.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

lateral_movement_ec2_instance_console_login.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

lateral_movement_k8_assumed_web_identity_session_with_multi_phase_api_use.toml

[New] AWS Lateral Movement via Kubernetes SA (#5959 )

2026-05-01 12:10:55 +01:00

lateral_movement_sns_topic_message_publish_by_rare_user.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

ml_cloudtrail_error_message_spike.toml

add mitre attack rules for ML job rules, bump dates (#5333 )

2025-12-01 15:48:59 -06:00

ml_cloudtrail_rare_error_code.toml

add mitre attack rules for ML job rules, bump dates (#5333 )

2025-12-01 15:48:59 -06:00

ml_cloudtrail_rare_method_by_city.toml

[Rule Tuning] Add Supplemental Mitre Mappings (#5876 )

2026-04-01 09:12:42 -05:00

ml_cloudtrail_rare_method_by_country.toml

add mitre attack rules for ML job rules, bump dates (#5333 )

2025-12-01 15:48:59 -06:00

ml_cloudtrail_rare_method_by_user.toml

Update Entity related Kibana prebuilt ML rules with new _ea ML job ID and update minimum stack versions (#5794 )

2026-04-02 09:25:14 -04:00

NOTICE.txt

[Fleet] Track integrations in folder and metadata (#1372 )

2021-07-21 15:24:56 -06:00

persistence_aws_attempt_to_register_virtual_mfa_device.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

persistence_ec2_network_acl_creation.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

persistence_ec2_route_table_modified_or_deleted.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

persistence_ec2_security_group_configuration_change_detection.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

persistence_iam_api_calls_via_user_session_token.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

persistence_iam_create_login_profile_for_root.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

persistence_iam_group_creation.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

persistence_iam_oidc_provider_created.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

persistence_iam_roles_anywhere_profile_created.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

persistence_iam_saml_provider_created.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

persistence_iam_user_created_access_keys_for_another_user.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

persistence_lambda_backdoor_invoke_function_for_any_principal.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

persistence_new_terms_ec2_create_keypair_unusual_source_as.toml

[New] Diverse AWS rules (#5913 )

2026-05-01 21:57:28 +01:00

persistence_rds_db_instance_password_modified.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

persistence_rds_instance_made_public.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

persistence_route_53_domain_transfer_lock_disabled.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

persistence_route_53_domain_transferred_to_another_account.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

persistence_route_53_hosted_zone_associated_with_a_vpc.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

persistence_route_table_created.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

persistence_sensitive_operations_via_cloudshell.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

persistence_sts_assume_role_with_new_mfa.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

privilege_escalation_ec2_instance_profile_associated_with_running_instance.toml

[New] Diverse AWS rules (#5913 )

2026-05-01 21:57:28 +01:00

privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

privilege_escalation_iam_customer_managed_policy_attached_to_role.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

privilege_escalation_iam_customer_managed_policy_version_created_or_set_default.toml

[New] Diverse AWS rules (#5913 )

2026-05-01 21:57:28 +01:00

privilege_escalation_iam_privilege_operations_via_lambda_execution_role.toml

[New] Diverse AWS rules (#5913 )

2026-05-01 21:57:28 +01:00

privilege_escalation_iam_saml_provider_updated.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

privilege_escalation_iam_update_assume_role_policy.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

privilege_escalation_kms_key_policy_put.toml

[New] Diverse AWS rules (#5913 )

2026-05-01 21:57:28 +01:00

privilege_escalation_role_assumption_by_service.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

privilege_escalation_role_assumption_by_user.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

privilege_escalation_sts_get_federation_token_administrator_access.toml

[New] Diverse AWS rules (#5913 )

2026-05-01 21:57:28 +01:00

privilege_escalation_sts_role_chaining.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

resource_development_sns_topic_created_by_rare_user.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00