security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dc7d8960de7f3be71fb1c072218183579413e75c
sigma-rules/rules/integrations
T
History
Isai c5dbd90662 [Rule Tunings] Add Console Session Filtering to AWS Temporary Credential Detection Rules (#5781) 
* [Rule Tuningw] Add Console Session Filtering to AWS Temporary Credential Detection Rules

Added `aws.cloudtrail.session_credential_from_console` field filtering to 2 rules to reduce false positives from legitimate console login sessions. Console logins automatically issue temporary "ASIA" credentials, which previously triggered alerts for rules monitoring session token abuse.

- Updated false positives sections to reflect automatic console session filtering
- Updated investigation guides to note that alerts indicate non-console temporary credential usage
- min_stack_version = "9.2.0" because this field was introduced in AWS Integration version 4.6.0. 9.2.0 is the earliest major stack version supported.

Impact
- Significantly reduces false positives from legitimate AWS Management Console usage
- Improves rule fidelity by focusing detection on programmatic abuse of temporary credentials (CLI, SDK, stolen credentials)

* update boolean field value for aws.cloudtrail.session_credential_from_console

update boolean field value for aws.cloudtrail.session_credential_from_console

* removing filebeat compatibility

removing filebeat compatibility
2026-02-26 17:21:18 -05:00
..
aws
[Rule Tunings] Add Console Session Filtering to AWS Temporary Credential Detection Rules (#5781)
2026-02-26 17:21:18 -05:00
aws_bedrock
[Tuning] Add mv_expand for gen_ai.policy.action field (#5296)
2025-11-11 07:37:40 +05:30
azure
adjusted min-stack (#5763)
2026-02-23 17:31:36 -05:00
azure_openai
[Rule Tuning] Updated ESQL Rules Based on Validation Results (#5151)
2025-09-30 00:36:29 -04:00
beaconing
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
cloud_defend
[New/Tuning] Misc. D4C Rules (#5710)
2026-02-12 10:52:16 +01:00
cyberarkpas
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
ded
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
dga
[Rule Tuning] Reduce Severity from Critical to High (#4637)
2025-05-06 21:37:47 +05:30
endpoint
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
fim
[Rule Tuning] Potential Persistence via File Modification (#5404)
2025-12-05 10:32:58 +01:00
gcp
Add rules for Azure Activity Logs/GCP Audit ML jobs (#5191)
2025-11-26 13:15:23 -05:00
github
[Rule Tuning] Dormant & Deprecated Rule Clean-Up (#5672)
2026-02-05 13:24:21 +01:00
google_workspace
Fix spacing in Setup information (#4470)
2025-02-20 10:04:13 +05:30
kubernetes
Monthly Manifest and Schema Updation (#5697)
2026-02-10 09:17:04 +05:30
lmd
[Tuning] Adds host metadata to the setup requirements (#5719)
2026-02-18 17:04:40 +00:00
o365
[New Rule] Microsoft 365 SharePoint/OneDrive Sensitive Search and File Access (#5777)
2026-02-26 14:29:14 -05:00
okta
[New Rule] Okta User Authentication via Proxy Followed by Security Alert (#5752)
2026-02-26 11:32:25 -05:00
pad
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
problemchild
[Rule Tuning] Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score (#5523) (#5686)
2026-02-05 15:54:26 -05:00