security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
da9bfd0abccc1de2010f02eac9930dee3042d1bc
sigma-rules/rules/integrations/aws
T
History
Isai 28f227ab6f [Rule Tunings] AWS EC2 EBS Snapshot and Encryption Rules (#5229) 
* [Rule Tunings] AWS EC2 EBS Snapshot and Encryption Rules

AWS EC2 Encryption Disabled
 rule performance is good, telemetry looks low as expected
- additional context to description to emphasize the security concern and purpose of the rule
- updated investigation guide
- added highlighted fields
- reduced execution window

AWS EC2 EBS Snapshot Access Removed
rule alerts as expected, telemetry volume is low as expected. however, this rule can be accomplished using EQL so I've changed the rule type
- changed rule type to eql
- added index
- updated IG
- added highlighted fields
note: I have to use `any` for the query since there is no `event.category` defined for `event.action: ModifySnapshotAttribute`

AWS EC2 EBS Snapshot Shared or Made Public
Converted to EQL. As an ESQL rule the primary benefit was being able to definitely exclude instances where a user adds their own account id when calling the ModifySnapshotAttribute instead of an external account id. This is a redundant action as the snapshot when created is automatically shared with the account it's created in. But this could be a false positive if it's done by mistake. Instead of keeping this as an ESQL rule, I still think there is more value to converting this to EQL for both customer alert context and telemetry. When looking at production data, I saw no instances where the owning account id was added in this way. Its a rare mistake that shouldn't happen often enough to support keeping this as an ESQL rule.
- converted to EQL
- added index
- updated IG
- updated description
- added highlighted fields

* adding event_category_override = "event.provider"

override event.category to event.provider to account for the use of "any" in EQL query

* normalizing IG title capitalization

normalizing IG title capitalization

* bumping severity to medium

since EC2 snapshot data can be sensitive, unauthorized sharing or access removal should be triaged

* updated event_category_override field

replaced event.provider with event.type to satisfy EQL library parsing requirements
2025-11-10 12:08:31 -05:00
..
collection_cloudtrail_logging_created.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
collection_s3_unauthenticated_bucket_access_by_rare_source.toml
[Tuning] AWS S3 Unauthenticated Bucket Access by Rare Source (#5075)
2025-09-11 17:13:41 -04:00
credential_access_aws_getpassword_for_ec2_instance.toml
[Rule Tuning] AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role (#4774)
2025-06-06 15:08:48 -04:00
credential_access_aws_iam_assume_role_brute_force.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
credential_access_iam_user_addition_to_group.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_new_terms_secretsmanager_getsecretvalue.toml
[Rule Tuning] First Time Seen AWS Secret Value Accessed in Secrets Manager (#4992)
2025-08-25 12:00:47 -04:00
credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
Replace master doc URLs with current (#4439)
2025-02-03 21:27:50 +05:30
credential_access_retrieve_secure_string_parameters_via_ssm.toml
[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)
2025-07-18 19:15:36 -04:00
credential_access_root_console_failure_brute_force.toml
[Rule Tuning][Deprecation] AWS Root Console Login Rules (#5201)
2025-10-15 14:16:02 -04:00
defense_evasion_cloudtrail_logging_deleted.toml
[Rule Tuning] Add Investigation Fields to Specific AWS Rules (#4261)
2024-11-08 23:11:18 -05:00
defense_evasion_cloudtrail_logging_evasion.toml
[New Rule] AWS CloudTrail Log Evasion (#4788)
2025-06-17 13:58:26 -04:00
defense_evasion_cloudtrail_logging_suspended.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_cloudwatch_alarm_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_config_service_rule_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_configuration_recorder_stopped.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_ec2_flow_log_deletion.toml
[Rule Tunings] AWS EC2 Flow Log Deletion and Network ACL Activity (#4778)
2025-06-06 14:11:54 -04:00
defense_evasion_ec2_network_acl_deletion.toml
[Rule Tunings] AWS EC2 Flow Log Deletion and Network ACL Activity (#4778)
2025-06-06 14:11:54 -04:00
defense_evasion_elasticache_security_group_creation.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_elasticache_security_group_modified_or_deleted.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_guardduty_detector_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_rds_instance_restored.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_route53_dns_query_resolver_config_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_s3_bucket_configuration_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_s3_bucket_lifecycle_expiration_added.toml
[Rule Tuning] AWS S3 Bucket Expiration Lifecycle Configuration Added (#5251)
2025-11-10 11:25:06 -05:00
defense_evasion_s3_bucket_server_access_logging_disabled.toml
[Rule Tuning] AWS S3 Bucket Server Access Logging Disabled (#5254)
2025-11-10 11:36:55 -05:00
defense_evasion_sqs_purge_queue.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_sts_get_federation_token.toml
[Tuning] First Occurrence of STS GetFederationToken Request by User (#5007)
2025-08-29 13:08:59 -04:00
defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml
[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)
2025-07-18 19:15:36 -04:00
defense_evasion_waf_acl_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_waf_rule_or_rule_group_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
discovery_ec2_deprecated_ami_discovery.toml
[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)
2025-07-18 19:15:36 -04:00
discovery_ec2_multi_region_describe_instances.toml
[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)
2025-08-05 19:35:41 -04:00
discovery_ec2_multiple_discovery_api_calls_via_cli.toml
[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)
2025-08-05 19:35:41 -04:00
discovery_ec2_userdata_request_for_ec2_instance.toml
[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)
2025-07-18 19:15:36 -04:00
discovery_new_terms_sts_getcalleridentity.toml
[Rule Tuning] AWS STS GetCallerIdentity API Called for the First Time (#4995)
2025-08-25 11:44:58 -04:00
discovery_servicequotas_multi_region_service_quota_requests.toml
[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)
2025-08-05 19:35:41 -04:00
execution_lambda_external_layer_added_to_function.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
execution_new_terms_cloudformation_createstack.toml
[Tuning] First Time AWS Cloudformation Stack Creation by User (#5036)
2025-08-29 12:36:21 -04:00
execution_ssm_command_document_created_by_rare_user.toml
[Rule Tunings] AWS SSM Command Document Created by Rare User (#4848)
2025-06-27 13:24:27 -04:00
execution_ssm_sendcommand_by_rare_user.toml
[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)
2025-07-18 19:15:36 -04:00
exfiltration_dynamodb_scan_by_unusual_user.toml
[Rule Tunings] AWS DynamoDB new terms Rules (#5074)
2025-09-11 16:59:39 -04:00
exfiltration_dynamodb_table_exported_to_s3.toml
[Rule Tunings] AWS DynamoDB new terms Rules (#5074)
2025-09-11 16:59:39 -04:00
exfiltration_ec2_ami_shared_with_separate_account.toml
[Rule Tuning] AWS EC2 AMI Shared with Another Account (#4914)
2025-07-21 10:12:13 +05:30
exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml
[Rule Tunings] AWS EC2 EBS Snapshot and Encryption Rules (#5229)
2025-11-10 12:08:31 -05:00
exfiltration_ec2_export_task.toml
[New Rule][Deprecation] AWS EC2 Export Task Rules (#5248)
2025-11-10 11:15:13 -05:00
exfiltration_ec2_full_network_packet_capture_detected.toml
[Rule Tuning] AWS EC2 Full Network Packet Capture Detected (#5244)
2025-11-10 10:49:17 -05:00
exfiltration_ec2_vm_export_failure.toml
[New Rule][Deprecation] AWS EC2 Export Task Rules (#5248)
2025-11-10 11:15:13 -05:00
exfiltration_rds_snapshot_export.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
exfiltration_rds_snapshot_shared_with_another_account.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
exfiltration_s3_bucket_policy_added_for_external_account_access.toml
[Rule Tuning][New Rule] AWS S3 Bucket Policy Added to Share with External Account/ to Allow Public Access (#5268)
2025-11-07 16:25:05 -05:00
exfiltration_s3_bucket_policy_added_for_public_access.toml
[Rule Tuning][New Rule] AWS S3 Bucket Policy Added to Share with External Account/ to Allow Public Access (#5268)
2025-11-07 16:25:05 -05:00
exfiltration_s3_bucket_replicated_to_external_account.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
exfiltration_sns_rare_protocol_subscription_by_user.toml
[Rule Tunings] AWS SNS new Terms rules (#5082)
2025-09-11 17:25:04 -04:00
impact_aws_eventbridge_rule_disabled_or_deleted.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_aws_s3_bucket_enumeration_or_brute_force.toml
[Rule Tuning] AWS S3 Bucket Enumeration or Brute Force (#5173)
2025-10-06 11:53:41 -04:00
impact_cloudtrail_logging_updated.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_cloudwatch_log_group_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_cloudwatch_log_stream_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_ec2_disable_ebs_encryption.toml
[Rule Tunings] AWS EC2 EBS Snapshot and Encryption Rules (#5229)
2025-11-10 12:08:31 -05:00
impact_ec2_ebs_snapshot_access_removed.toml
[Rule Tunings] AWS EC2 EBS Snapshot and Encryption Rules (#5229)
2025-11-10 12:08:31 -05:00
impact_efs_filesystem_or_mount_deleted.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_iam_deactivate_mfa_device.toml
[New Rule] AWS STS AssumeRole with New MFA Device [Rule Tuning] AWS IAM Deactivation of MFA Device (#4210)
2024-11-05 02:09:05 -05:00
impact_iam_group_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_kms_cmk_disabled_or_scheduled_for_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_rds_group_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_rds_instance_cluster_deletion_protection_disabled.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_rds_instance_cluster_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_rds_instance_cluster_stoppage.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_rds_snapshot_deleted.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_s3_bucket_object_uploaded_with_ransom_extension.toml
[Rule Tuning] Potential AWS S3 Bucket Ransomware Note Uploaded (#5149)
2025-10-06 10:33:51 -04:00
impact_s3_excessive_object_encryption_with_sse_c.toml
[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)
2025-07-18 19:15:36 -04:00
impact_s3_object_encryption_with_external_key.toml
[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)
2025-08-05 19:35:41 -04:00
impact_s3_object_versioning_disabled.toml
[Rule Tuning] AWS S3 Object Versioning Suspended (#5261)
2025-11-07 17:09:24 -05:00
impact_s3_static_site_js_file_uploaded.toml
[Rule Tuning] AWS S3 Static Site Javascript File Uploaded (#5264)
2025-11-07 17:00:56 -05:00
impact_s3_unusual_object_encryption_with_sse_c.toml
[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)
2025-07-18 19:15:36 -04:00
initial_access_console_login_root.toml
[Rule Tuning][Deprecation] AWS Root Console Login Rules (#5201)
2025-10-15 14:16:02 -04:00
initial_access_iam_session_token_used_from_multiple_addresses.toml
[Tuning] AWS Access Token Used from Multiple Addresses (#5055)
2025-09-11 17:43:12 -04:00
initial_access_kali_user_agent_detected_with_aws_cli.toml
[New Rule] Adding Coverage for AWS CLI with Kali Linux Fingerprint Identified (#4625)
2025-04-21 12:06:57 -04:00
initial_access_password_recovery.toml
[Rule Tunings] AWS Root Access Rules (#5218)
2025-10-15 13:58:32 -04:00
initial_access_signin_console_login_federated_user.toml
[Rule Tuning][New BBR Rule] AWS Sign-In Token Creation and Console Login (#5197)
2025-10-16 12:47:30 -04:00
lateral_movement_aws_ssm_start_session_to_ec2_instance.toml
[Rule Tuning] SSM Session Started to EC2 Instance (#5068)
2025-09-11 15:54:31 -04:00
lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml
[Rule Tuning] AWS EC2 Instance Connect SSH Public Key Uploaded (#5069)
2025-09-11 16:37:39 -04:00
lateral_movement_ec2_instance_console_login.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
lateral_movement_sns_topic_message_publish_by_rare_user.toml
[Rule Tunings] AWS SNS new Terms rules (#5082)
2025-09-11 17:25:04 -04:00
ml_cloudtrail_error_message_spike.toml
Adding setup templates to the ML rules (#3798)
2024-06-19 10:04:41 -04:00
ml_cloudtrail_rare_error_code.toml
Adding setup templates to the ML rules (#3798)
2024-06-19 10:04:41 -04:00
ml_cloudtrail_rare_method_by_city.toml
Adding setup templates to the ML rules (#3798)
2024-06-19 10:04:41 -04:00
ml_cloudtrail_rare_method_by_country.toml
Adding setup templates to the ML rules (#3798)
2024-06-19 10:04:41 -04:00
ml_cloudtrail_rare_method_by_user.toml
Adding setup templates to the ML rules (#3798)
2024-06-19 10:04:41 -04:00
NOTICE.txt
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 15:24:56 -06:00
persistence_aws_attempt_to_register_virtual_mfa_device.toml
[New Rule] Adding Coverage for AWS IAM Virtual MFA Device Registration (#4626)
2025-04-21 11:02:14 -04:00
persistence_ec2_network_acl_creation.toml
[Rule Tunings] AWS EC2 Flow Log Deletion and Network ACL Activity (#4778)
2025-06-06 14:11:54 -04:00
persistence_ec2_route_table_modified_or_deleted.toml
[Rule Tunings] AWS Route Table Created / AWS EC2 Route Table Modified or Deleted (#5064)
2025-09-11 15:35:16 -04:00
persistence_ec2_security_group_configuration_change_detection.toml
[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)
2025-07-18 19:15:36 -04:00
persistence_iam_api_calls_via_user_session_token.toml
[Rule Tuning] AWS IAM API Calls via Temporary Session Tokens (#4901)
2025-07-15 19:13:16 -04:00
persistence_iam_create_login_profile_for_root.toml
[Rule Tunings] AWS Root Access Rules (#5218)
2025-10-15 13:58:32 -04:00
persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml
[Tuning] AWS IAM Create User via Assumed Role on EC2 Instance (#5063)
2025-09-11 15:11:40 -04:00
persistence_iam_group_creation.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_iam_roles_anywhere_profile_created.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_iam_user_created_access_keys_for_another_user.toml
[Rule Tuning] AWS User Created Access Keys For Another User (#5212)
2025-10-16 12:57:57 -04:00
persistence_lambda_backdoor_invoke_function_for_any_principal.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_rds_cluster_creation.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_rds_db_instance_password_modified.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_rds_group_creation.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_rds_instance_creation.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_rds_instance_made_public.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_redshift_instance_creation.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_route_53_domain_transfer_lock_disabled.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_route_53_domain_transferred_to_another_account.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_route_53_hosted_zone_associated_with_a_vpc.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_route_table_created.toml
[Rule Tunings] AWS Route Table Created / AWS EC2 Route Table Modified or Deleted (#5064)
2025-09-11 15:35:16 -04:00
persistence_sts_assume_role_with_new_mfa.toml
[Rule Tuning] AWS STS AssumeRole with New MFA Device (#4999)
2025-08-22 14:48:39 -04:00
privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml
[Rule Tunings] AWS IAM Administrator Access Policy Attached to Group/Role/User (#5215)
2025-10-16 12:22:56 -04:00
privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml
[Rule Tunings] AWS IAM Administrator Access Policy Attached to Group/Role/User (#5215)
2025-10-16 12:22:56 -04:00
privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml
[Rule Tunings] AWS IAM Administrator Access Policy Attached to Group/Role/User (#5215)
2025-10-16 12:22:56 -04:00
privilege_escalation_iam_customer_managed_policy_attached_to_role.toml
Prep 9.2 (#5231)
2025-10-17 21:01:13 +05:30
privilege_escalation_iam_saml_provider_updated.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_iam_update_assume_role_policy.toml
Prep 9.2 (#5231)
2025-10-17 21:01:13 +05:30
privilege_escalation_role_assumption_by_service.toml
[Rule Tunings] AWS Role Assumption By Service / User (#4827)
2025-06-24 18:07:18 -04:00
privilege_escalation_role_assumption_by_user.toml
[Rule Tunings] AWS Role Assumption By Service / User (#4827)
2025-06-24 18:07:18 -04:00
privilege_escalation_root_login_without_mfa.toml
[Rule Tuning][Deprecation] AWS Root Console Login Rules (#5201)
2025-10-15 14:16:02 -04:00
privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_sts_getsessiontoken_abuse.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_sts_role_chaining.toml
Update privilege_escalation_sts_role_chaining.toml (#5180)
2025-10-06 11:29:41 -04:00
resource_development_sns_topic_created_by_rare_user.toml
[Rule Tunings] AWS SNS new Terms rules (#5082)
2025-09-11 17:25:04 -04:00