security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
edef90b3ec88e042eae06b218ef9accd0e056945
sigma-rules/rules/integrations/aws
T
History
Jonhnathan edef90b3ec [Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104) 
* [Security Content] Add Investigation Guides to Cloud Rules - AWS

* Apply suggestion from review

* Update rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Apply suggestions from review

* Apply suggestions from code review

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* .

* Applies suggestions from the https://github.com/elastic/detection-rules/pull/2124 PR

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

(cherry picked from commit d854b943e5)
2022-07-20 15:30:04 +00:00
..
collection_cloudtrail_logging_created.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
credential_access_aws_iam_assume_role_brute_force.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
credential_access_iam_user_addition_to_group.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
credential_access_root_console_failure_brute_force.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
credential_access_secretsmanager_getsecretvalue.toml
[Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104)
2022-07-20 15:30:04 +00:00
defense_evasion_cloudtrail_logging_deleted.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
defense_evasion_cloudtrail_logging_suspended.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
defense_evasion_cloudwatch_alarm_deletion.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
defense_evasion_config_service_rule_deletion.toml
[Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104)
2022-07-20 15:30:04 +00:00
defense_evasion_configuration_recorder_stopped.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
defense_evasion_ec2_flow_log_deletion.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
defense_evasion_ec2_network_acl_deletion.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
defense_evasion_elasticache_security_group_creation.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
defense_evasion_elasticache_security_group_modified_or_deleted.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
defense_evasion_guardduty_detector_deletion.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
defense_evasion_s3_bucket_configuration_deletion.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
defense_evasion_waf_acl_deletion.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
defense_evasion_waf_rule_or_rule_group_deletion.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
exfiltration_ec2_full_network_packet_capture_detected.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
exfiltration_ec2_snapshot_change_activity.toml
[Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104)
2022-07-20 15:30:04 +00:00
exfiltration_ec2_vm_export_failure.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
exfiltration_rds_snapshot_export.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
exfiltration_rds_snapshot_restored.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
impact_aws_eventbridge_rule_disabled_or_deleted.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
impact_cloudtrail_logging_updated.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
impact_cloudwatch_log_group_deletion.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
impact_cloudwatch_log_stream_deletion.toml
[Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104)
2022-07-20 15:30:04 +00:00
impact_ec2_disable_ebs_encryption.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
impact_efs_filesystem_or_mount_deleted.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
impact_iam_deactivate_mfa_device.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
impact_iam_group_deletion.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
impact_rds_group_deletion.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
impact_rds_instance_cluster_deletion.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
impact_rds_instance_cluster_stoppage.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
initial_access_console_login_root.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
initial_access_password_recovery.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
initial_access_via_system_manager.toml
[Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104)
2022-07-20 15:30:04 +00:00
ml_cloudtrail_error_message_spike.toml
[Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104)
2022-07-20 15:30:04 +00:00
ml_cloudtrail_rare_error_code.toml
[Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104)
2022-07-20 15:30:04 +00:00
ml_cloudtrail_rare_method_by_city.toml
[Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104)
2022-07-20 15:30:04 +00:00
ml_cloudtrail_rare_method_by_country.toml
[Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104)
2022-07-20 15:30:04 +00:00
ml_cloudtrail_rare_method_by_user.toml
[Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104)
2022-07-20 15:30:04 +00:00
NOTICE.txt
Linux Shell Evasion Rule Tuning (#1878)
2022-03-29 21:03:35 -04:00
persistence_ec2_network_acl_creation.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
persistence_ec2_security_group_configuration_change_detection.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
persistence_iam_group_creation.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
persistence_rds_cluster_creation.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
persistence_rds_group_creation.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
persistence_rds_instance_creation.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
persistence_redshift_instance_creation.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
persistence_route_53_domain_transfer_lock_disabled.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
persistence_route_53_domain_transferred_to_another_account.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
persistence_route_53_hosted_zone_associated_with_a_vpc.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
persistence_route_table_created.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
persistence_route_table_modified_or_deleted.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
privilege_escalation_aws_suspicious_saml_activity.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
privilege_escalation_root_login_without_mfa.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
privilege_escalation_sts_assumerole_usage.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
privilege_escalation_sts_getsessiontoken_abuse.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00
privilege_escalation_updateassumerolepolicy.toml
2058 add setup field to metadata (#2061)
2022-07-18 21:25:32 +00:00