sigma-rules

Files

T

Isai 83e36854f0 [Rule Tunings] AWS Root Access Rules (#5218 )

* [Rule Tunings] AWS Root Password Recovery and Login Profile Created

AWS IAM Password Recovery Requested > AWS Sign-In Root Password Recovery Requested
- Name change to properly indicate the service Sign-In vs IAM which is used for this API call. Also highlights that this is `Root` activity. In AWS, the PasswordRecoveryRequested event from signin.amazonaws.com applies to the root user’s “Forgot your password?” flow. Other identity types, like IAM and federated users, do not generate this event.
- reduced execution window
- updated Investigation Guide
- updated tag
- added highlighted fields

AWS IAM Login Profile Added for Root
- changed rule type from esql to eql
- added index
- reduced execution window
- updated description and investigation guide to clarify emphasis on Root identity scope
- added highlighted fields

* increased severity score

increased severity score since this is related to root

* Update broken link

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

2025-10-15 13:58:32 -04:00

aws

[Rule Tunings] AWS Root Access Rules (#5218 )

2025-10-15 13:58:32 -04:00

aws_bedrock

[Rule Tuning] Updated ESQL Rules Based on Validation Results (#5151 )

2025-09-30 00:36:29 -04:00

azure

[Rule Tuning] Excessive Secret or Key Retrieval from Azure Key Vault (#5220 )

2025-10-14 12:53:02 -05:00

azure_openai

[Rule Tuning] Updated ESQL Rules Based on Validation Results (#5151 )