* [Rule Tuning] Potential AWS S3 Bucket Ransomware Note Uploaded
- changed this from ESQL to EQL. While initially were only able to isolate uploaded file names using the `aws.cloudtrail.request_parameters` field, we now can use the target.entity.id field to isolate the uploaded file arn. I've adjusted the regex pattern to distinguish between the bucket name and the file uploaded, both of which are included in the target.entity.id field.
- I chose eql instead of esql to 1. provide more meaningful alert context to the user and 2. allow for easier exclusions for the user. Right now these alerts aren't generating much meaningful context.
- edits to description
- new investigation guide using specific AWS IR Ransomware Playbooks as additional context
- additional MITRE technique
* added highlighted fields
added highlighted fields
* fixed MITRE reference
* added cloudtrail index mapping
* Update rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_extension.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* using aws.cloudtrail.resources.arn instead of target.entity.id
using aws.cloudtrail.resources.arn instead of target.entity.id
* Apply suggestions from code review
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Isai
db1f8d1fab