security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e22f60f44cf1a87d23ba46292e15ff58c8e95545
sigma-rules/rules
T
History
Isai e22f60f44c [Tuning] AWS IAM Create User via Assumed Role on EC2 Instance (#5063) 
- query change : I chose to replace `aws.cloudtrail.user_identity.arn` with `user.id` and a more accurate wildcard pattern. This will reduce the chances of this rule triggering for role sessions outside of those started by EC2 instances. The wildcard pattern looks for a role session name that starts with `i-` this is because when an EC2 instance operates using it's attached Role (instance profile), the session name attached to that role name is the instance id (`i-......`). The `user.id` field appends this session name to the role name via a standard pattern `:[session_name]`, making it a more reliable field to use in this case.
- small edits to description and IG
- reduced execution window
- reduced history window
- edited highlighted fields
Note: the new_terms field here remains `aws.cloudtrail.user_identity.arn` because we are only interested in assumed roles, and even more particular, only those used by an EC2 instance. This means we want to evaluate each individual instance's behavior rather than the broader behavior of the role itself. The arn field will capture each instance id (session name) alongside the role itself.
2025-09-11 15:11:40 -04:00
..
_deprecated
[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)
2025-08-05 19:35:41 -04:00
apm
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
cross-platform
[New] Command Line Obfuscation via Whitespace Padding (#4860)
2025-08-18 15:26:52 +01:00
integrations
[Tuning] AWS IAM Create User via Assumed Role on EC2 Instance (#5063)
2025-09-11 15:11:40 -04:00
linux
[Rule Tuning] Beats & Endgame Indices (#5072)
2025-09-09 13:19:13 -05:00
macos
Update command_and_control_unusual_network_connection_to_suspicious_web_service.toml (#5008)
2025-08-26 13:03:59 +01:00
ml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
network
[Rule Tuning] Reduce Severity from Critical to High (#4637)
2025-05-06 21:37:47 +05:30
promotions
Tune a Tag discrepency in rule (#5053)
2025-09-02 21:12:06 +05:30
threat_intel
[Rule Tuning] Reduce Severity from Critical to High (#4637)
2025-05-06 21:37:47 +05:30
windows
Delete Development Rules (#5084)
2025-09-10 23:24:28 +05:30
README.md
[New Rule] Endpoint Security Behavior Protection (#1440)
2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder description
. Root directory where rules are stored
apm/ Rules that use Application Performance Monitoring (APM) data sources
cross-platform/ Rules that apply to multiple platforms, such as Windows and Linux
integrations/ Rules organized by Fleet integration
linux/ Rules for Linux or other Unix based operating systems
macos/ Rules for macOS
ml/ Rules that use machine learning jobs (ML)
network/ Rules that use network data sources
promotions/ Rules that promote external alerts into detection engine alerts
windows/ Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder integration
aws/ Amazon Web Services (AWS)
azure/ Microsoft Azure
cyberarkpas/ Cyber Ark Privileged Access Security
endpoint/ Elastic Endpoint Security
gcp/ Google Cloud Platform (GCP)
google_workspace/ Google Workspace (formerly GSuite)
o365/ Microsoft Office
okta/ Oka
Reference in New Issue View Git Blame Copy Permalink