Isai
b141ebcfa6
* [Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules This PR is in part a response to the following issues regarding the future of flattened fields in AWS, which we use as an essential part of our ruleset. However, this is also in response to the ongoing ruleset audit. Some of the flattened fields used are not truly necessary for the alert to trigger or can be replaced by a different field. Those changes have been made here and our non_ecs file has been edited to remove the unnecessary fields. Additionally, flattened fields have been removed from highlighted fields, and from investigation guides. * Update discovery_ec2_userdata_request_for_ec2_instance.toml updated_date * Update execution_ssm_sendcommand_by_rare_user.toml updated_date * Update non-ecs-schema.json add necessary field for ModifyInstanceAttribute action * Update persistence_ec2_security_group_configuration_change_detection.toml added missing event.action AuthorizeSecurityGroupIngress, narrowed scope for ModifyInstanceAttribute action by adding a necessary flattened_field * Update privilege_escalation_iam_customer_managed_policy_attached_to_role.toml updated min_stack_version for new field target.entity.id * Update privilege_escalation_iam_customer_managed_policy_attached_to_role.toml * Update privilege_escalation_iam_update_assume_role_policy.toml updating min_stack to account of target.entity.id field * Update impact_s3_excessive_object_encryption_with_sse_c.toml adding highlighted fields * Update rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml * Apply suggestions from code review --------- Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
rules/
Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)
| folder | description |
|---|---|
. |
Root directory where rules are stored |
apm/ |
Rules that use Application Performance Monitoring (APM) data sources |
cross-platform/ |
Rules that apply to multiple platforms, such as Windows and Linux |
integrations/ |
Rules organized by Fleet integration |
linux/ |
Rules for Linux or other Unix based operating systems |
macos/ |
Rules for macOS |
ml/ |
Rules that use machine learning jobs (ML) |
network/ |
Rules that use network data sources |
promotions/ |
Rules that promote external alerts into detection engine alerts |
windows/ |
Rules for the Microsoft Windows Operating System |
Integration specific rules are stored in the integrations/ directory:
| folder | integration |
|---|---|
aws/ |
Amazon Web Services (AWS) |
azure/ |
Microsoft Azure |
cyberarkpas/ |
Cyber Ark Privileged Access Security |
endpoint/ |
Elastic Endpoint Security |
gcp/ |
Google Cloud Platform (GCP) |
google_workspace/ |
Google Workspace (formerly GSuite) |
o365/ |
Microsoft Office |
okta/ |
Oka |