security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dc7d8960de7f3be71fb1c072218183579413e75c
sigma-rules/rules/integrations/aws
T
History
Isai c5dbd90662 [Rule Tunings] Add Console Session Filtering to AWS Temporary Credential Detection Rules (#5781) 
* [Rule Tuningw] Add Console Session Filtering to AWS Temporary Credential Detection Rules

Added `aws.cloudtrail.session_credential_from_console` field filtering to 2 rules to reduce false positives from legitimate console login sessions. Console logins automatically issue temporary "ASIA" credentials, which previously triggered alerts for rules monitoring session token abuse.

- Updated false positives sections to reflect automatic console session filtering
- Updated investigation guides to note that alerts indicate non-console temporary credential usage
- min_stack_version = "9.2.0" because this field was introduced in AWS Integration version 4.6.0. 9.2.0 is the earliest major stack version supported.

Impact
- Significantly reduces false positives from legitimate AWS Management Console usage
- Improves rule fidelity by focusing detection on programmatic abuse of temporary credentials (CLI, SDK, stolen credentials)

* update boolean field value for aws.cloudtrail.session_credential_from_console

update boolean field value for aws.cloudtrail.session_credential_from_console

* removing filebeat compatibility

removing filebeat compatibility
2026-02-26 17:21:18 -05:00
..
collection_cloudtrail_logging_created.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
collection_s3_unauthenticated_bucket_access_by_rare_source.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
credential_access_aws_getpassword_for_ec2_instance.toml
[Rule Tuning] AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role (#4774)
2025-06-06 15:08:48 -04:00
credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml
[Rule Tuning] AWS IAM CompromisedKeyQuarantine Policy Attached to User (#5281)
2025-11-17 16:25:38 -05:00
credential_access_iam_user_addition_to_group.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
credential_access_new_terms_secretsmanager_getsecretvalue.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
[Rule Tuning] Rapid Secret Retrieval Attempts from AWS SecretsManager (#5291)
2025-11-24 10:37:07 -05:00
credential_access_retrieve_secure_string_parameters_via_ssm.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
credential_access_root_console_failure_brute_force.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
defense_evasion_cloudtrail_logging_deleted.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
defense_evasion_cloudtrail_logging_evasion.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
defense_evasion_cloudtrail_logging_suspended.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
defense_evasion_cloudwatch_alarm_deletion.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
defense_evasion_config_service_rule_deletion.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
defense_evasion_configuration_recorder_stopped.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
defense_evasion_ec2_flow_log_deletion.toml
[Rule Tunings] AWS EC2 Flow Log Deletion and Network ACL Activity (#4778)
2025-06-06 14:11:54 -04:00
defense_evasion_ec2_network_acl_deletion.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
defense_evasion_ec2_serial_console_access_enabled.toml
[New Rule] AWS EC2 Serial Console Access Enabled (#5687)
2026-02-06 17:34:55 -05:00
defense_evasion_guardduty_detector_deletion.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
defense_evasion_guardduty_member_manipulation.toml
[New Rule] AWS GuardDuty Member Account Manipulation (#5688)
2026-02-17 16:32:20 -05:00
defense_evasion_rds_instance_restored.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
defense_evasion_route53_dns_query_resolver_config_deletion.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
defense_evasion_s3_bucket_configuration_deletion.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
defense_evasion_s3_bucket_lifecycle_expiration_added.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
defense_evasion_s3_bucket_server_access_logging_disabled.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
defense_evasion_sqs_purge_queue.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
defense_evasion_sts_get_federation_token.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml
[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)
2025-07-18 19:15:36 -04:00
defense_evasion_waf_acl_deletion.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
defense_evasion_waf_rule_or_rule_group_deletion.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
discovery_ec2_deprecated_ami_discovery.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
discovery_ec2_userdata_request_for_ec2_instance.toml
[Rule Tunings] AWS New Terms History Window Reduction (#5479)
2025-12-18 11:47:59 -05:00
discovery_iam_principal_enumeration_via_update_assume_role_policy.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
discovery_multiple_discovery_api_calls_via_cli.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
discovery_new_terms_sts_getcalleridentity.toml
[Rule Tuning] AWS STS GetCallerIdentity API Called for the First Time (#4995)
2025-08-25 11:44:58 -04:00
discovery_servicequotas_multi_region_service_quota_requests.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
discovery_ssm_inventory_reconnaissance.toml
[New Rule] AWS SSM Inventory Reconnaissance by Rare User (#5724)
2026-02-18 15:50:14 -05:00
execution_lambda_external_layer_added_to_function.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
execution_new_terms_cloudformation_createstack.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
execution_ssm_command_document_created_by_rare_user.toml
[Rule Tunings] AWS SSM Command Document Created by Rare User (#4848)
2025-06-27 13:24:27 -04:00
execution_ssm_sendcommand_by_rare_user.toml
[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)
2025-07-18 19:15:36 -04:00
exfiltration_dynamodb_scan_by_unusual_user.toml
[Rule Tunings] AWS DynamoDB new terms Rules (#5074)
2025-09-11 16:59:39 -04:00
exfiltration_dynamodb_table_exported_to_s3.toml
[Rule Tunings] AWS DynamoDB new terms Rules (#5074)
2025-09-11 16:59:39 -04:00
exfiltration_ec2_ami_shared_with_separate_account.toml
[Rule Tuning] AWS EC2 AMI Shared with Another Account (#4914)
2025-07-21 10:12:13 +05:30
exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
exfiltration_ec2_export_task.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
exfiltration_ec2_full_network_packet_capture_detected.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
exfiltration_rds_snapshot_export.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
exfiltration_rds_snapshot_shared_with_another_account.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
exfiltration_s3_bucket_policy_added_for_external_account_access.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
exfiltration_s3_bucket_policy_added_for_public_access.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
exfiltration_s3_bucket_replicated_to_external_account.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
exfiltration_sns_rare_protocol_subscription_by_user.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
impact_aws_eventbridge_rule_disabled_or_deleted.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
impact_aws_s3_bucket_enumeration_or_brute_force.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
impact_cloudtrail_logging_updated.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
impact_cloudwatch_log_group_deletion.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
impact_cloudwatch_log_stream_deletion.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
impact_ec2_disable_ebs_encryption.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
impact_ec2_ebs_snapshot_access_removed.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
impact_efs_filesystem_deleted.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
impact_iam_deactivate_mfa_device.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
impact_iam_group_deletion.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
impact_kms_cmk_disabled_or_scheduled_for_deletion.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
impact_rds_instance_cluster_deletion_protection_disabled.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
impact_rds_instance_cluster_deletion.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
impact_rds_snapshot_deleted.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
impact_s3_bucket_object_uploaded_with_ransom_keyword.toml
[Rule Tuning] Potential AWS S3 Bucket Ransomware Note Uploaded (#5739)
2026-02-20 10:41:42 -05:00
impact_s3_excessive_object_encryption_with_sse_c.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
impact_s3_object_encryption_with_external_key.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
impact_s3_object_versioning_disabled.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
impact_s3_static_site_js_file_uploaded.toml
[Rule Tuning] Add Missing Metadata to KEEP conditions (#5442)
2025-12-09 17:05:20 -08:00
impact_s3_unusual_object_encryption_with_sse_c.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
initial_access_console_login_root.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
initial_access_iam_session_token_used_from_multiple_addresses.toml
[Rule Tuning] AWS Access Token Used from Multiple Addresses (#5412)
2025-12-05 11:48:22 -05:00
initial_access_kali_user_agent_detected_with_aws_cli.toml
[Rule Tuning] AWS CLI with Kali Linux Fingerprint Identified (#5467)
2025-12-18 16:13:34 -05:00
initial_access_password_recovery.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
initial_access_signin_console_login_federated_user.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
lateral_movement_aws_ssm_start_session_to_ec2_instance.toml
[Rule Tuning] SSM Session Started to EC2 Instance (#5068)
2025-09-11 15:54:31 -04:00
lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
lateral_movement_ec2_instance_console_login.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
lateral_movement_sns_topic_message_publish_by_rare_user.toml
[Rule Tunings] AWS SNS new Terms rules (#5082)
2025-09-11 17:25:04 -04:00
ml_cloudtrail_error_message_spike.toml
add mitre attack rules for ML job rules, bump dates (#5333)
2025-12-01 15:48:59 -06:00
ml_cloudtrail_rare_error_code.toml
add mitre attack rules for ML job rules, bump dates (#5333)
2025-12-01 15:48:59 -06:00
ml_cloudtrail_rare_method_by_city.toml
add mitre attack rules for ML job rules, bump dates (#5333)
2025-12-01 15:48:59 -06:00
ml_cloudtrail_rare_method_by_country.toml
add mitre attack rules for ML job rules, bump dates (#5333)
2025-12-01 15:48:59 -06:00
ml_cloudtrail_rare_method_by_user.toml
add mitre attack rules for ML job rules, bump dates (#5333)
2025-12-01 15:48:59 -06:00
NOTICE.txt
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 15:24:56 -06:00
persistence_aws_attempt_to_register_virtual_mfa_device.toml
[Rule Tunings] Add Console Session Filtering to AWS Temporary Credential Detection Rules (#5781)
2026-02-26 17:21:18 -05:00
persistence_ec2_network_acl_creation.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
persistence_ec2_route_table_modified_or_deleted.toml
[Rule Tunings] AWS Route Table Created / AWS EC2 Route Table Modified or Deleted (#5064)
2025-09-11 15:35:16 -04:00
persistence_ec2_security_group_configuration_change_detection.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
persistence_iam_api_calls_via_user_session_token.toml
[Rule Tunings] Add Console Session Filtering to AWS Temporary Credential Detection Rules (#5781)
2026-02-26 17:21:18 -05:00
persistence_iam_create_login_profile_for_root.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml
[Tuning] AWS IAM Create User via Assumed Role on EC2 Instance (#5063)
2025-09-11 15:11:40 -04:00
persistence_iam_group_creation.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
persistence_iam_oidc_provider_created.toml
[New Rules] AWS IAM new identity federation provider rules (#5691)
2026-02-18 15:17:13 -05:00
persistence_iam_roles_anywhere_profile_created.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
persistence_iam_saml_provider_created.toml
[New Rules] AWS IAM new identity federation provider rules (#5691)
2026-02-18 15:17:13 -05:00
persistence_iam_user_created_access_keys_for_another_user.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
persistence_lambda_backdoor_invoke_function_for_any_principal.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
persistence_rds_db_instance_password_modified.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
persistence_rds_instance_made_public.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
persistence_route_53_domain_transfer_lock_disabled.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
persistence_route_53_domain_transferred_to_another_account.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
persistence_route_53_hosted_zone_associated_with_a_vpc.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
persistence_route_table_created.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
persistence_sensitive_operations_via_cloudshell.toml
[New Rule] AWS Sensitive IAM Operations Performed via CloudShell (#5718)
2026-02-18 15:29:53 -05:00
persistence_sts_assume_role_with_new_mfa.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
privilege_escalation_iam_customer_managed_policy_attached_to_role.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
privilege_escalation_iam_saml_provider_updated.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
privilege_escalation_iam_update_assume_role_policy.toml
[Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603)
2026-01-22 15:01:49 -05:00
privilege_escalation_role_assumption_by_service.toml
[Rule Tunings] AWS New Terms History Window Reduction (#5479)
2025-12-18 11:47:59 -05:00
privilege_escalation_role_assumption_by_user.toml
[Rule Tunings] AWS New Terms History Window Reduction (#5479)
2025-12-18 11:47:59 -05:00
privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
privilege_escalation_sts_role_chaining.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00
resource_development_sns_topic_created_by_rare_user.toml
[Rule Tunings] AWS Removing Disclaimer from IGs (#5567)
2026-01-20 15:52:48 -05:00