security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dev-v1.5.13
sigma-rules/rules/integrations/aws
T
History
Isai 5c1ee125df [Rule Tuning] AWS GetSessionToken Abuse (#5274) 
This rule is extremely loud in telemetry with no meaningful way to reduce false positives. The behavior it's capturing is common behavior, however can be used for threat hunting, investigation and further correlation with other detection rules. I'm moving this to a BBR rule with a few changes:
- removed IAMUser specification in the query. Temporary sessions can be created by both IAM Users and the Root Account. This rule should capture both instances.
- reduced execution window
- name change to AWS GetSessionToken Usage as this captured behavior is not indicative of abuse
- added highlighted fields
- updated description, FP and IG
2025-11-14 04:14:13 -05:00
..
collection_cloudtrail_logging_created.toml
[Rule Tuning] AWS Cloudtrail Created/Updated/Suspended/Deleted (#5292)
2025-11-14 02:48:52 -05:00
collection_s3_unauthenticated_bucket_access_by_rare_source.toml
[Tuning] AWS S3 Unauthenticated Bucket Access by Rare Source (#5075)
2025-09-11 17:13:41 -04:00
credential_access_aws_getpassword_for_ec2_instance.toml
[Rule Tuning] AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role (#4774)
2025-06-06 15:08:48 -04:00
credential_access_aws_iam_assume_role_brute_force.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
credential_access_iam_user_addition_to_group.toml
[Rule Tunings] AWS Group Creation, User Added to Group, Group Deletion (#5269)
2025-11-14 02:34:28 -05:00
credential_access_new_terms_secretsmanager_getsecretvalue.toml
[Rule Tuning] First Time Seen AWS Secret Value Accessed in Secrets Manager (#4992)
2025-08-25 12:00:47 -04:00
credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
Replace master doc URLs with current (#4439)
2025-02-03 21:27:50 +05:30
credential_access_retrieve_secure_string_parameters_via_ssm.toml
[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)
2025-07-18 19:15:36 -04:00
credential_access_root_console_failure_brute_force.toml
[Rule Tuning][Deprecation] AWS Root Console Login Rules (#5201)
2025-10-15 14:16:02 -04:00
defense_evasion_cloudtrail_logging_deleted.toml
[Rule Tuning] AWS Cloudtrail Created/Updated/Suspended/Deleted (#5292)
2025-11-14 02:48:52 -05:00
defense_evasion_cloudtrail_logging_evasion.toml
[New Rule] AWS CloudTrail Log Evasion (#4788)
2025-06-17 13:58:26 -04:00
defense_evasion_cloudtrail_logging_suspended.toml
[Rule Tuning] AWS Cloudtrail Created/Updated/Suspended/Deleted (#5292)
2025-11-14 02:48:52 -05:00
defense_evasion_cloudwatch_alarm_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_config_service_rule_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_configuration_recorder_stopped.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_ec2_flow_log_deletion.toml
[Rule Tunings] AWS EC2 Flow Log Deletion and Network ACL Activity (#4778)
2025-06-06 14:11:54 -04:00
defense_evasion_ec2_network_acl_deletion.toml
[Rule Tunings] AWS EC2 Flow Log Deletion and Network ACL Activity (#4778)
2025-06-06 14:11:54 -04:00
defense_evasion_elasticache_security_group_creation.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_elasticache_security_group_modified_or_deleted.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_guardduty_detector_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_rds_instance_restored.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_route53_dns_query_resolver_config_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_s3_bucket_configuration_deletion.toml
[Rule Tuning] AWS S3 Bucket Configuration Deletion (#5265)
2025-11-14 01:49:14 -05:00
defense_evasion_s3_bucket_lifecycle_expiration_added.toml
[Rule Tuning] AWS S3 Bucket Expiration Lifecycle Configuration Added (#5251)
2025-11-10 11:25:06 -05:00
defense_evasion_s3_bucket_server_access_logging_disabled.toml
[Rule Tuning] AWS S3 Bucket Server Access Logging Disabled (#5254)
2025-11-10 11:36:55 -05:00
defense_evasion_sqs_purge_queue.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_sts_get_federation_token.toml
[Tuning] First Occurrence of STS GetFederationToken Request by User (#5007)
2025-08-29 13:08:59 -04:00
defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml
[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)
2025-07-18 19:15:36 -04:00
defense_evasion_waf_acl_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_waf_rule_or_rule_group_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
discovery_ec2_deprecated_ami_discovery.toml
[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)
2025-07-18 19:15:36 -04:00
discovery_ec2_multi_region_describe_instances.toml
[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)
2025-08-05 19:35:41 -04:00
discovery_ec2_multiple_discovery_api_calls_via_cli.toml
[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)
2025-08-05 19:35:41 -04:00
discovery_ec2_userdata_request_for_ec2_instance.toml
[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)
2025-07-18 19:15:36 -04:00
discovery_new_terms_sts_getcalleridentity.toml
[Rule Tuning] AWS STS GetCallerIdentity API Called for the First Time (#4995)
2025-08-25 11:44:58 -04:00
discovery_servicequotas_multi_region_service_quota_requests.toml
[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)
2025-08-05 19:35:41 -04:00
execution_lambda_external_layer_added_to_function.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
execution_new_terms_cloudformation_createstack.toml
[Tuning] First Time AWS Cloudformation Stack Creation by User (#5036)
2025-08-29 12:36:21 -04:00
execution_ssm_command_document_created_by_rare_user.toml
[Rule Tunings] AWS SSM Command Document Created by Rare User (#4848)
2025-06-27 13:24:27 -04:00
execution_ssm_sendcommand_by_rare_user.toml
[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)
2025-07-18 19:15:36 -04:00
exfiltration_dynamodb_scan_by_unusual_user.toml
[Rule Tunings] AWS DynamoDB new terms Rules (#5074)
2025-09-11 16:59:39 -04:00
exfiltration_dynamodb_table_exported_to_s3.toml
[Rule Tunings] AWS DynamoDB new terms Rules (#5074)
2025-09-11 16:59:39 -04:00
exfiltration_ec2_ami_shared_with_separate_account.toml
[Rule Tuning] AWS EC2 AMI Shared with Another Account (#4914)
2025-07-21 10:12:13 +05:30
exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml
[Rule Tunings] AWS EC2 EBS Snapshot and Encryption Rules (#5229)
2025-11-10 12:08:31 -05:00
exfiltration_ec2_export_task.toml
[New Rule][Deprecation] AWS EC2 Export Task Rules (#5248)
2025-11-10 11:15:13 -05:00
exfiltration_ec2_full_network_packet_capture_detected.toml
[Rule Tuning] AWS EC2 Full Network Packet Capture Detected (#5244)
2025-11-10 10:49:17 -05:00
exfiltration_ec2_vm_export_failure.toml
[New Rule][Deprecation] AWS EC2 Export Task Rules (#5248)
2025-11-10 11:15:13 -05:00
exfiltration_rds_snapshot_export.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
exfiltration_rds_snapshot_shared_with_another_account.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
exfiltration_s3_bucket_policy_added_for_external_account_access.toml
[Rule Tuning][New Rule] AWS S3 Bucket Policy Added to Share with External Account/ to Allow Public Access (#5268)
2025-11-07 16:25:05 -05:00
exfiltration_s3_bucket_policy_added_for_public_access.toml
[Rule Tuning][New Rule] AWS S3 Bucket Policy Added to Share with External Account/ to Allow Public Access (#5268)
2025-11-07 16:25:05 -05:00
exfiltration_s3_bucket_replicated_to_external_account.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
exfiltration_sns_rare_protocol_subscription_by_user.toml
[Rule Tunings] AWS SNS new Terms rules (#5082)
2025-09-11 17:25:04 -04:00
impact_aws_eventbridge_rule_disabled_or_deleted.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_aws_s3_bucket_enumeration_or_brute_force.toml
[Rule Tuning] AWS S3 Bucket Enumeration or Brute Force (#5173)
2025-10-06 11:53:41 -04:00
impact_cloudtrail_logging_updated.toml
[Rule Tuning] AWS Cloudtrail Created/Updated/Suspended/Deleted (#5292)
2025-11-14 02:48:52 -05:00
impact_cloudwatch_log_group_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_cloudwatch_log_stream_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_ec2_disable_ebs_encryption.toml
[Rule Tunings] AWS EC2 EBS Snapshot and Encryption Rules (#5229)
2025-11-10 12:08:31 -05:00
impact_ec2_ebs_snapshot_access_removed.toml
[Rule Tunings] AWS EC2 EBS Snapshot and Encryption Rules (#5229)
2025-11-10 12:08:31 -05:00
impact_efs_filesystem_or_mount_deleted.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_iam_deactivate_mfa_device.toml
[New Rule] AWS STS AssumeRole with New MFA Device [Rule Tuning] AWS IAM Deactivation of MFA Device (#4210)
2024-11-05 02:09:05 -05:00
impact_iam_group_deletion.toml
[Rule Tunings] AWS Group Creation, User Added to Group, Group Deletion (#5269)
2025-11-14 02:34:28 -05:00
impact_kms_cmk_disabled_or_scheduled_for_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_rds_group_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_rds_instance_cluster_deletion_protection_disabled.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_rds_instance_cluster_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_rds_instance_cluster_stoppage.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_rds_snapshot_deleted.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_s3_bucket_object_uploaded_with_ransom_extension.toml
[Rule Tuning] Potential AWS S3 Bucket Ransomware Note Uploaded (#5149)
2025-10-06 10:33:51 -04:00
impact_s3_excessive_object_encryption_with_sse_c.toml
[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)
2025-07-18 19:15:36 -04:00
impact_s3_object_encryption_with_external_key.toml
[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)
2025-08-05 19:35:41 -04:00
impact_s3_object_versioning_disabled.toml
[Rule Tuning] AWS S3 Object Versioning Suspended (#5261)
2025-11-07 17:09:24 -05:00
impact_s3_static_site_js_file_uploaded.toml
[Rule Tuning] AWS S3 Static Site Javascript File Uploaded (#5264)
2025-11-07 17:00:56 -05:00
impact_s3_unusual_object_encryption_with_sse_c.toml
[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)
2025-07-18 19:15:36 -04:00
initial_access_console_login_root.toml
[Rule Tuning][Deprecation] AWS Root Console Login Rules (#5201)
2025-10-15 14:16:02 -04:00
initial_access_iam_session_token_used_from_multiple_addresses.toml
[Tuning] AWS Access Token Used from Multiple Addresses (#5055)
2025-09-11 17:43:12 -04:00
initial_access_kali_user_agent_detected_with_aws_cli.toml
[New Rule] Adding Coverage for AWS CLI with Kali Linux Fingerprint Identified (#4625)
2025-04-21 12:06:57 -04:00
initial_access_password_recovery.toml
[Rule Tunings] AWS Root Access Rules (#5218)
2025-10-15 13:58:32 -04:00
initial_access_signin_console_login_federated_user.toml
[Rule Tuning][New BBR Rule] AWS Sign-In Token Creation and Console Login (#5197)
2025-10-16 12:47:30 -04:00
lateral_movement_aws_ssm_start_session_to_ec2_instance.toml
[Rule Tuning] SSM Session Started to EC2 Instance (#5068)
2025-09-11 15:54:31 -04:00
lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml
[Rule Tuning] AWS EC2 Instance Connect SSH Public Key Uploaded (#5069)
2025-09-11 16:37:39 -04:00
lateral_movement_ec2_instance_console_login.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
lateral_movement_sns_topic_message_publish_by_rare_user.toml
[Rule Tunings] AWS SNS new Terms rules (#5082)
2025-09-11 17:25:04 -04:00
ml_cloudtrail_error_message_spike.toml
Adding setup templates to the ML rules (#3798)
2024-06-19 10:04:41 -04:00
ml_cloudtrail_rare_error_code.toml
Adding setup templates to the ML rules (#3798)
2024-06-19 10:04:41 -04:00
ml_cloudtrail_rare_method_by_city.toml
Adding setup templates to the ML rules (#3798)
2024-06-19 10:04:41 -04:00
ml_cloudtrail_rare_method_by_country.toml
Adding setup templates to the ML rules (#3798)
2024-06-19 10:04:41 -04:00
ml_cloudtrail_rare_method_by_user.toml
Adding setup templates to the ML rules (#3798)
2024-06-19 10:04:41 -04:00
NOTICE.txt
[Fleet] Track integrations in folder and metadata (#1372)
2021-07-21 15:24:56 -06:00
persistence_aws_attempt_to_register_virtual_mfa_device.toml
[New Rule] Adding Coverage for AWS IAM Virtual MFA Device Registration (#4626)
2025-04-21 11:02:14 -04:00
persistence_ec2_network_acl_creation.toml
[Rule Tunings] AWS EC2 Flow Log Deletion and Network ACL Activity (#4778)
2025-06-06 14:11:54 -04:00
persistence_ec2_route_table_modified_or_deleted.toml
[Rule Tunings] AWS Route Table Created / AWS EC2 Route Table Modified or Deleted (#5064)
2025-09-11 15:35:16 -04:00
persistence_ec2_security_group_configuration_change_detection.toml
[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)
2025-07-18 19:15:36 -04:00
persistence_iam_api_calls_via_user_session_token.toml
[Rule Tuning] AWS IAM API Calls via Temporary Session Tokens (#4901)
2025-07-15 19:13:16 -04:00
persistence_iam_create_login_profile_for_root.toml
[Rule Tunings] AWS Root Access Rules (#5218)
2025-10-15 13:58:32 -04:00
persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml
[Tuning] AWS IAM Create User via Assumed Role on EC2 Instance (#5063)
2025-09-11 15:11:40 -04:00
persistence_iam_group_creation.toml
[Rule Tunings] AWS Group Creation, User Added to Group, Group Deletion (#5269)
2025-11-14 02:34:28 -05:00
persistence_iam_roles_anywhere_profile_created.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_iam_user_created_access_keys_for_another_user.toml
[Rule Tuning] AWS User Created Access Keys For Another User (#5212)
2025-10-16 12:57:57 -04:00
persistence_lambda_backdoor_invoke_function_for_any_principal.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_rds_cluster_creation.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_rds_db_instance_password_modified.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_rds_group_creation.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_rds_instance_creation.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_rds_instance_made_public.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_redshift_instance_creation.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_route_53_domain_transfer_lock_disabled.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_route_53_domain_transferred_to_another_account.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_route_53_hosted_zone_associated_with_a_vpc.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_route_table_created.toml
[Rule Tunings] AWS Route Table Created / AWS EC2 Route Table Modified or Deleted (#5064)
2025-09-11 15:35:16 -04:00
persistence_sts_assume_role_with_new_mfa.toml
[Rule Tuning] AWS STS AssumeRole with New MFA Device (#4999)
2025-08-22 14:48:39 -04:00
privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml
[Rule Tunings] AWS IAM Administrator Access Policy Attached to Group/Role/User (#5215)
2025-10-16 12:22:56 -04:00
privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml
[Rule Tunings] AWS IAM Administrator Access Policy Attached to Group/Role/User (#5215)
2025-10-16 12:22:56 -04:00
privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml
[Rule Tunings] AWS IAM Administrator Access Policy Attached to Group/Role/User (#5215)
2025-10-16 12:22:56 -04:00
privilege_escalation_iam_customer_managed_policy_attached_to_role.toml
Prep 9.2 (#5231)
2025-10-17 21:01:13 +05:30
privilege_escalation_iam_saml_provider_updated.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_iam_update_assume_role_policy.toml
Prep 9.2 (#5231)
2025-10-17 21:01:13 +05:30
privilege_escalation_role_assumption_by_service.toml
[Rule Tunings] AWS Role Assumption By Service / User (#4827)
2025-06-24 18:07:18 -04:00
privilege_escalation_role_assumption_by_user.toml
[Rule Tunings] AWS Role Assumption By Service / User (#4827)
2025-06-24 18:07:18 -04:00
privilege_escalation_root_login_without_mfa.toml
[Rule Tuning][Deprecation] AWS Root Console Login Rules (#5201)
2025-10-15 14:16:02 -04:00
privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_sts_role_chaining.toml
Update privilege_escalation_sts_role_chaining.toml (#5180)
2025-10-06 11:29:41 -04:00
resource_development_sns_topic_created_by_rare_user.toml
[Rule Tunings] AWS SNS new Terms rules (#5082)
2025-09-11 17:25:04 -04:00