security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ba095969493df64febfef897f92f68811a3fb218
sigma-rules/rules/integrations/aws
T
History
Austin Songer ba09596949 [New Rule] AWS Route Table Created (#1257) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create persistence_route_table_created.toml

* Update persistence_route_table_created.toml

* Update rules/persistence_route_table_created.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update persistence_route_table_created.toml

* Update .gitignore

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update persistence_route_table_created.toml

* Update

* Update

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 89553d84a9)
2021-10-26 13:26:56 +00:00
..
collection_cloudtrail_logging_created.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
credential_access_aws_iam_assume_role_brute_force.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
credential_access_iam_user_addition_to_group.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
credential_access_root_console_failure_brute_force.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
credential_access_secretsmanager_getsecretvalue.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
defense_evasion_cloudtrail_logging_deleted.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
defense_evasion_cloudtrail_logging_suspended.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
defense_evasion_cloudwatch_alarm_deletion.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
defense_evasion_config_service_rule_deletion.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
defense_evasion_configuration_recorder_stopped.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
defense_evasion_ec2_flow_log_deletion.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
defense_evasion_ec2_network_acl_deletion.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
defense_evasion_elasticache_security_group_creation.toml
[New Rule] AWS ElastiCache Security Group Created (#1363)
2021-10-05 17:01:33 +00:00
defense_evasion_elasticache_security_group_modified_or_deleted.toml
[New Rule] AWS ElastiCache Security Group Modified or Deleted (#1364)
2021-10-04 18:39:40 +00:00
defense_evasion_guardduty_detector_deletion.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
defense_evasion_s3_bucket_configuration_deletion.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
defense_evasion_waf_acl_deletion.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
defense_evasion_waf_rule_or_rule_group_deletion.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
exfiltration_ec2_full_network_packet_capture_detected.toml
[Rule tuning] Revise rule description and other text (#1398)
2021-08-03 21:08:48 +00:00
exfiltration_ec2_snapshot_change_activity.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
exfiltration_ec2_vm_export_failure.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
exfiltration_rds_snapshot_export.toml
[Rule Tuning] AWS RDS Snapshot Export and AWS RDS Instance Created (#1514)
2021-10-04 21:32:40 +00:00
exfiltration_rds_snapshot_restored.toml
[New Rule] AWS RDS Snapshot Restored (#1312)
2021-10-15 19:06:07 +00:00
impact_aws_eventbridge_rule_disabled_or_deleted.toml
[New Rule] AWS EventBridge Rule Disabled or Deleted (#1572)
2021-10-18 18:37:29 +00:00
impact_cloudtrail_logging_updated.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
impact_cloudwatch_log_group_deletion.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
impact_cloudwatch_log_stream_deletion.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
impact_ec2_disable_ebs_encryption.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
impact_efs_filesystem_or_mount_deleted.toml
[New Rule] AWS EFS File System or Mount Deleted (#1462)
2021-10-16 02:24:00 +00:00
impact_iam_deactivate_mfa_device.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
impact_iam_group_deletion.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
impact_rds_cluster_deletion.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
impact_rds_group_deletion.toml
[Rule tuning] Revise rule description and other text (#1398)
2021-08-03 21:08:48 +00:00
impact_rds_instance_cluster_stoppage.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
initial_access_console_login_root.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
initial_access_password_recovery.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
initial_access_via_system_manager.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
ml_cloudtrail_error_message_spike.toml
[Rule Tuning] Small update on rule descriptions (#1508)
2021-09-30 20:55:18 +00:00
ml_cloudtrail_rare_error_code.toml
[Rule Tuning] Small update on rule descriptions (#1508)
2021-09-30 20:55:18 +00:00
ml_cloudtrail_rare_method_by_city.toml
[Rule Tuning] Small update on rule descriptions (#1508)
2021-09-30 20:55:18 +00:00
ml_cloudtrail_rare_method_by_country.toml
[Rule Tuning] Small update on rule descriptions (#1508)
2021-09-30 20:55:18 +00:00
ml_cloudtrail_rare_method_by_user.toml
[Rule Tuning] Small update on rule descriptions (#1508)
2021-09-30 20:55:18 +00:00
NOTICE.txt
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
persistence_ec2_network_acl_creation.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
persistence_ec2_security_group_configuration_change_detection.toml
[Rule Tuning] Small update on rule descriptions (#1508)
2021-09-30 20:55:18 +00:00
persistence_iam_group_creation.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
persistence_rds_cluster_creation.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
persistence_rds_group_creation.toml
[Rule tuning] Revise rule description and other text (#1398)
2021-08-03 21:08:48 +00:00
persistence_rds_instance_creation.toml
[Rule Tuning] AWS RDS Snapshot Export and AWS RDS Instance Created (#1514)
2021-10-04 21:32:40 +00:00
persistence_route_53_domain_transfer_lock_disabled.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
persistence_route_53_domain_transferred_to_another_account.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
persistence_route_53_hosted_zone_associated_with_a_vpc.toml
[New Rule] AWS Route53 hosted zone associated with a VPC (#1365)
2021-10-15 19:01:20 +00:00
persistence_route_table_created.toml
[New Rule] AWS Route Table Created (#1257)
2021-10-26 13:26:56 +00:00
persistence_route_table_modified_or_deleted.toml
[New Rule] AWS Route Table Modified or Deleted (#1258)
2021-10-12 18:17:56 +00:00
privilege_escalation_aws_suspicious_saml_activity.toml
[New Rule] AWS Suspicious SAML Activity (#1498)
2021-10-16 02:12:06 +00:00
privilege_escalation_root_login_without_mfa.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00
privilege_escalation_sts_assumerole_usage.toml
[New Rule] AWS STS AssumeRole Usage (#1214)
2021-10-15 18:57:13 +00:00
privilege_escalation_sts_getsessiontoken_abuse.toml
[New Rule] AWS STS GetSessionToken Abuse (#1213)
2021-09-22 19:29:04 +00:00
privilege_escalation_updateassumerolepolicy.toml
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 21:25:48 +00:00