From 69e2eaf02f827644f90b7c358b0d92c6466d63d3 Mon Sep 17 00:00:00 2001 From: Brent Murphy Date: Thu, 3 Sep 2020 12:19:53 -0400 Subject: [PATCH 1/2] Update AWS rules --- rules/aws/collection_cloudtrail_logging_created.toml | 2 +- .../aws/credential_access_aws_iam_assume_role_brute_force.toml | 2 +- rules/aws/credential_access_iam_user_addition_to_group.toml | 2 +- rules/aws/credential_access_secretsmanager_getsecretvalue.toml | 2 +- rules/aws/defense_evasion_cloudtrail_logging_deleted.toml | 2 +- rules/aws/defense_evasion_cloudtrail_logging_suspended.toml | 2 +- rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml | 2 +- rules/aws/defense_evasion_config_service_rule_deletion.toml | 2 +- rules/aws/defense_evasion_configuration_recorder_stopped.toml | 2 +- rules/aws/defense_evasion_ec2_flow_log_deletion.toml | 2 +- rules/aws/defense_evasion_ec2_network_acl_deletion.toml | 2 +- rules/aws/defense_evasion_guardduty_detector_deletion.toml | 2 +- rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml | 2 +- rules/aws/defense_evasion_waf_acl_deletion.toml | 2 +- rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml | 2 +- rules/aws/execution_via_system_manager.toml | 2 +- rules/aws/exfiltration_ec2_snapshot_change_activity.toml | 2 +- rules/aws/impact_cloudtrail_logging_updated.toml | 2 +- rules/aws/impact_cloudwatch_log_group_deletion.toml | 2 +- rules/aws/impact_cloudwatch_log_stream_deletion.toml | 2 +- rules/aws/impact_ec2_disable_ebs_encryption.toml | 2 +- rules/aws/impact_iam_deactivate_mfa_device.toml | 2 +- rules/aws/impact_iam_group_deletion.toml | 2 +- rules/aws/impact_rds_cluster_deletion.toml | 2 +- rules/aws/impact_rds_instance_cluster_stoppage.toml | 2 +- rules/aws/initial_access_console_login_root.toml | 2 +- rules/aws/initial_access_password_recovery.toml | 2 +- rules/aws/persistence_ec2_network_acl_creation.toml | 2 +- rules/aws/persistence_iam_group_creation.toml | 2 +- rules/aws/persistence_rds_cluster_creation.toml | 2 +- rules/aws/privilege_escalation_root_login_without_mfa.toml | 2 +- rules/aws/privilege_escalation_updateassumerolepolicy.toml | 2 +- 32 files changed, 32 insertions(+), 32 deletions(-) diff --git a/rules/aws/collection_cloudtrail_logging_created.toml b/rules/aws/collection_cloudtrail_logging_created.toml index ca7778c34bc..c33be85779d 100644 --- a/rules/aws/collection_cloudtrail_logging_created.toml +++ b/rules/aws/collection_cloudtrail_logging_created.toml @@ -15,7 +15,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml index c09e7356da8..97d9b32e1da 100644 --- a/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml +++ b/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml @@ -12,7 +12,7 @@ used to delegate access to users or services. An adversary may attempt to enumer role exists before attempting to assume or hijack the discovered role. """ from = "now-20m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] language = "kuery" license = "Elastic License" name = "AWS IAM Brute Force of Assume Role Policy" diff --git a/rules/aws/credential_access_iam_user_addition_to_group.toml b/rules/aws/credential_access_iam_user_addition_to_group.toml index a830af683d6..d1d4b36388d 100644 --- a/rules/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/aws/credential_access_iam_user_addition_to_group.toml @@ -16,7 +16,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/credential_access_secretsmanager_getsecretvalue.toml b/rules/aws/credential_access_secretsmanager_getsecretvalue.toml index bb47fc8e3ea..1977e8a6f4a 100644 --- a/rules/aws/credential_access_secretsmanager_getsecretvalue.toml +++ b/rules/aws/credential_access_secretsmanager_getsecretvalue.toml @@ -17,7 +17,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml index b36490d8f6e..14e65aa2f33 100644 --- a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -15,7 +15,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml index 40715e3a37f..49aadbe9cc0 100644 --- a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml index 38710ac57c9..3ce696aa676 100644 --- a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -15,7 +15,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/defense_evasion_config_service_rule_deletion.toml b/rules/aws/defense_evasion_config_service_rule_deletion.toml index 7ad19aff84f..8526a9dac82 100644 --- a/rules/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/aws/defense_evasion_config_service_rule_deletion.toml @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/aws/defense_evasion_configuration_recorder_stopped.toml index a6dfd93f343..994c90b4766 100644 --- a/rules/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/aws/defense_evasion_configuration_recorder_stopped.toml @@ -15,7 +15,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml index 0356cb062d1..f3022f3e569 100644 --- a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml index 6a83c02b875..053bf24230e 100644 --- a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/aws/defense_evasion_guardduty_detector_deletion.toml index 6cb7fde4449..17ecf3f55c6 100644 --- a/rules/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/aws/defense_evasion_guardduty_detector_deletion.toml @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml index 4c41d160bb8..05f25895fec 100644 --- a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -15,7 +15,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/defense_evasion_waf_acl_deletion.toml b/rules/aws/defense_evasion_waf_acl_deletion.toml index b572c134b05..36ca870fb10 100644 --- a/rules/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/aws/defense_evasion_waf_acl_deletion.toml @@ -15,7 +15,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index e348e3e9b18..2b68251a204 100644 --- a/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -15,7 +15,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/execution_via_system_manager.toml b/rules/aws/execution_via_system_manager.toml index 6e9b441f632..849eef99eb9 100644 --- a/rules/aws/execution_via_system_manager.toml +++ b/rules/aws/execution_via_system_manager.toml @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/aws/exfiltration_ec2_snapshot_change_activity.toml index 6cd570188f6..58ff5517ee5 100644 --- a/rules/aws/exfiltration_ec2_snapshot_change_activity.toml +++ b/rules/aws/exfiltration_ec2_snapshot_change_activity.toml @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/impact_cloudtrail_logging_updated.toml b/rules/aws/impact_cloudtrail_logging_updated.toml index 0ce340082d4..b92274b741c 100644 --- a/rules/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/aws/impact_cloudtrail_logging_updated.toml @@ -15,7 +15,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/impact_cloudwatch_log_group_deletion.toml b/rules/aws/impact_cloudwatch_log_group_deletion.toml index 50f50495c46..7b98579dd45 100644 --- a/rules/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/aws/impact_cloudwatch_log_group_deletion.toml @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/aws/impact_cloudwatch_log_stream_deletion.toml index 51622a020be..7a62c5d96a8 100644 --- a/rules/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/aws/impact_cloudwatch_log_stream_deletion.toml @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/impact_ec2_disable_ebs_encryption.toml b/rules/aws/impact_ec2_disable_ebs_encryption.toml index f632a276e86..f2ced0ea9da 100644 --- a/rules/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/aws/impact_ec2_disable_ebs_encryption.toml @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/impact_iam_deactivate_mfa_device.toml b/rules/aws/impact_iam_deactivate_mfa_device.toml index ea43ca8e3ac..bd4dd756c07 100644 --- a/rules/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/aws/impact_iam_deactivate_mfa_device.toml @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/impact_iam_group_deletion.toml b/rules/aws/impact_iam_group_deletion.toml index 9ca348eb40d..5d176a0ae1d 100644 --- a/rules/aws/impact_iam_group_deletion.toml +++ b/rules/aws/impact_iam_group_deletion.toml @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/impact_rds_cluster_deletion.toml b/rules/aws/impact_rds_cluster_deletion.toml index f272da4ebaf..82c9e892093 100644 --- a/rules/aws/impact_rds_cluster_deletion.toml +++ b/rules/aws/impact_rds_cluster_deletion.toml @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/impact_rds_instance_cluster_stoppage.toml b/rules/aws/impact_rds_instance_cluster_stoppage.toml index df12b381c16..ff47eddaa93 100644 --- a/rules/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/aws/impact_rds_instance_cluster_stoppage.toml @@ -15,7 +15,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/initial_access_console_login_root.toml b/rules/aws/initial_access_console_login_root.toml index 888f65a9c91..be2b1fd9938 100644 --- a/rules/aws/initial_access_console_login_root.toml +++ b/rules/aws/initial_access_console_login_root.toml @@ -16,7 +16,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/initial_access_password_recovery.toml b/rules/aws/initial_access_password_recovery.toml index 022cceb7da4..4b4a658af9b 100644 --- a/rules/aws/initial_access_password_recovery.toml +++ b/rules/aws/initial_access_password_recovery.toml @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/persistence_ec2_network_acl_creation.toml b/rules/aws/persistence_ec2_network_acl_creation.toml index 017a2ea0f0d..c28af8a6203 100644 --- a/rules/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/aws/persistence_ec2_network_acl_creation.toml @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/persistence_iam_group_creation.toml b/rules/aws/persistence_iam_group_creation.toml index 576ff989b0f..fc5fa5ca2be 100644 --- a/rules/aws/persistence_iam_group_creation.toml +++ b/rules/aws/persistence_iam_group_creation.toml @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/persistence_rds_cluster_creation.toml b/rules/aws/persistence_rds_cluster_creation.toml index a06773759e1..24a91e7de79 100644 --- a/rules/aws/persistence_rds_cluster_creation.toml +++ b/rules/aws/persistence_rds_cluster_creation.toml @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/privilege_escalation_root_login_without_mfa.toml b/rules/aws/privilege_escalation_root_login_without_mfa.toml index 34c54d358c1..ebc84727521 100644 --- a/rules/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/aws/privilege_escalation_root_login_without_mfa.toml @@ -17,7 +17,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" diff --git a/rules/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/aws/privilege_escalation_updateassumerolepolicy.toml index d9e520d579b..a947ea78a37 100644 --- a/rules/aws/privilege_escalation_updateassumerolepolicy.toml +++ b/rules/aws/privilege_escalation_updateassumerolepolicy.toml @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-60m" -index = ["filebeat-*"] +index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License" From cb41d9ac2a6f0076f12237a973ab9fb2b1afe815 Mon Sep 17 00:00:00 2001 From: Brent Murphy Date: Thu, 3 Sep 2020 12:27:24 -0400 Subject: [PATCH 2/2] chnage updated date --- rules/aws/collection_cloudtrail_logging_created.toml | 2 +- .../aws/credential_access_aws_iam_assume_role_brute_force.toml | 2 +- rules/aws/credential_access_iam_user_addition_to_group.toml | 2 +- rules/aws/credential_access_secretsmanager_getsecretvalue.toml | 2 +- rules/aws/defense_evasion_cloudtrail_logging_deleted.toml | 2 +- rules/aws/defense_evasion_cloudtrail_logging_suspended.toml | 2 +- rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml | 2 +- rules/aws/defense_evasion_config_service_rule_deletion.toml | 2 +- rules/aws/defense_evasion_configuration_recorder_stopped.toml | 2 +- rules/aws/defense_evasion_ec2_flow_log_deletion.toml | 2 +- rules/aws/defense_evasion_ec2_network_acl_deletion.toml | 2 +- rules/aws/defense_evasion_guardduty_detector_deletion.toml | 2 +- rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml | 2 +- rules/aws/defense_evasion_waf_acl_deletion.toml | 2 +- rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml | 2 +- rules/aws/execution_via_system_manager.toml | 2 +- rules/aws/exfiltration_ec2_snapshot_change_activity.toml | 2 +- rules/aws/impact_cloudtrail_logging_updated.toml | 2 +- rules/aws/impact_cloudwatch_log_group_deletion.toml | 2 +- rules/aws/impact_cloudwatch_log_stream_deletion.toml | 2 +- rules/aws/impact_ec2_disable_ebs_encryption.toml | 2 +- rules/aws/impact_iam_deactivate_mfa_device.toml | 2 +- rules/aws/impact_iam_group_deletion.toml | 2 +- rules/aws/impact_rds_cluster_deletion.toml | 2 +- rules/aws/impact_rds_instance_cluster_stoppage.toml | 2 +- rules/aws/initial_access_console_login_root.toml | 2 +- rules/aws/initial_access_password_recovery.toml | 2 +- rules/aws/persistence_ec2_network_acl_creation.toml | 2 +- rules/aws/persistence_iam_group_creation.toml | 2 +- rules/aws/persistence_rds_cluster_creation.toml | 2 +- rules/aws/privilege_escalation_root_login_without_mfa.toml | 2 +- rules/aws/privilege_escalation_updateassumerolepolicy.toml | 2 +- 32 files changed, 32 insertions(+), 32 deletions(-) diff --git a/rules/aws/collection_cloudtrail_logging_created.toml b/rules/aws/collection_cloudtrail_logging_created.toml index c33be85779d..7da5d96a7e0 100644 --- a/rules/aws/collection_cloudtrail_logging_created.toml +++ b/rules/aws/collection_cloudtrail_logging_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml index 97d9b32e1da..6bfab916af0 100644 --- a/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml +++ b/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/credential_access_iam_user_addition_to_group.toml b/rules/aws/credential_access_iam_user_addition_to_group.toml index d1d4b36388d..e51a30a5d51 100644 --- a/rules/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/aws/credential_access_iam_user_addition_to_group.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/04" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/credential_access_secretsmanager_getsecretvalue.toml b/rules/aws/credential_access_secretsmanager_getsecretvalue.toml index 1977e8a6f4a..34ddfcf643f 100644 --- a/rules/aws/credential_access_secretsmanager_getsecretvalue.toml +++ b/rules/aws/credential_access_secretsmanager_getsecretvalue.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Nick Jones", "Elastic"] diff --git a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml index 14e65aa2f33..d783c3d4124 100644 --- a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml index 49aadbe9cc0..27942f01b25 100644 --- a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml index 3ce696aa676..94c3bf9c9d2 100644 --- a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/15" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_config_service_rule_deletion.toml b/rules/aws/defense_evasion_config_service_rule_deletion.toml index 8526a9dac82..af1e402b050 100644 --- a/rules/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/aws/defense_evasion_config_service_rule_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/26" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/aws/defense_evasion_configuration_recorder_stopped.toml index 994c90b4766..8a6df25b73e 100644 --- a/rules/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/aws/defense_evasion_configuration_recorder_stopped.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/16" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml index f3022f3e569..5a5e474899d 100644 --- a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/15" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml index 053bf24230e..13d63264eb0 100644 --- a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/aws/defense_evasion_guardduty_detector_deletion.toml index 17ecf3f55c6..c092a0d6709 100644 --- a/rules/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/aws/defense_evasion_guardduty_detector_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/28" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml index 05f25895fec..72c9878466c 100644 --- a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/27" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_waf_acl_deletion.toml b/rules/aws/defense_evasion_waf_acl_deletion.toml index 36ca870fb10..d40e36ed1a5 100644 --- a/rules/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/aws/defense_evasion_waf_acl_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index 2b68251a204..b29e04aa123 100644 --- a/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/09" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/execution_via_system_manager.toml b/rules/aws/execution_via_system_manager.toml index 849eef99eb9..00ddc66b981 100644 --- a/rules/aws/execution_via_system_manager.toml +++ b/rules/aws/execution_via_system_manager.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/aws/exfiltration_ec2_snapshot_change_activity.toml index 58ff5517ee5..3f3e4ed08fc 100644 --- a/rules/aws/exfiltration_ec2_snapshot_change_activity.toml +++ b/rules/aws/exfiltration_ec2_snapshot_change_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/24" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/impact_cloudtrail_logging_updated.toml b/rules/aws/impact_cloudtrail_logging_updated.toml index b92274b741c..0bc0e0e33c2 100644 --- a/rules/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/aws/impact_cloudtrail_logging_updated.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/impact_cloudwatch_log_group_deletion.toml b/rules/aws/impact_cloudwatch_log_group_deletion.toml index 7b98579dd45..da99d8a9ee5 100644 --- a/rules/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/aws/impact_cloudwatch_log_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/aws/impact_cloudwatch_log_stream_deletion.toml index 7a62c5d96a8..57fd213fdda 100644 --- a/rules/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/aws/impact_cloudwatch_log_stream_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/impact_ec2_disable_ebs_encryption.toml b/rules/aws/impact_ec2_disable_ebs_encryption.toml index f2ced0ea9da..d4b0471fa0e 100644 --- a/rules/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/aws/impact_ec2_disable_ebs_encryption.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/05" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/impact_iam_deactivate_mfa_device.toml b/rules/aws/impact_iam_deactivate_mfa_device.toml index bd4dd756c07..7b7bf4f65fa 100644 --- a/rules/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/aws/impact_iam_deactivate_mfa_device.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/impact_iam_group_deletion.toml b/rules/aws/impact_iam_group_deletion.toml index 5d176a0ae1d..1d7ec06d511 100644 --- a/rules/aws/impact_iam_group_deletion.toml +++ b/rules/aws/impact_iam_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/impact_rds_cluster_deletion.toml b/rules/aws/impact_rds_cluster_deletion.toml index 82c9e892093..816d570e002 100644 --- a/rules/aws/impact_rds_cluster_deletion.toml +++ b/rules/aws/impact_rds_cluster_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/impact_rds_instance_cluster_stoppage.toml b/rules/aws/impact_rds_instance_cluster_stoppage.toml index ff47eddaa93..bd1904c1743 100644 --- a/rules/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/aws/impact_rds_instance_cluster_stoppage.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/initial_access_console_login_root.toml b/rules/aws/initial_access_console_login_root.toml index be2b1fd9938..73c0b57d8e9 100644 --- a/rules/aws/initial_access_console_login_root.toml +++ b/rules/aws/initial_access_console_login_root.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/11" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/initial_access_password_recovery.toml b/rules/aws/initial_access_password_recovery.toml index 4b4a658af9b..4a13623bdf3 100644 --- a/rules/aws/initial_access_password_recovery.toml +++ b/rules/aws/initial_access_password_recovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/persistence_ec2_network_acl_creation.toml b/rules/aws/persistence_ec2_network_acl_creation.toml index c28af8a6203..4735d369bec 100644 --- a/rules/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/aws/persistence_ec2_network_acl_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/04" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/persistence_iam_group_creation.toml b/rules/aws/persistence_iam_group_creation.toml index fc5fa5ca2be..c5519741c7f 100644 --- a/rules/aws/persistence_iam_group_creation.toml +++ b/rules/aws/persistence_iam_group_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/05" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/persistence_rds_cluster_creation.toml b/rules/aws/persistence_rds_cluster_creation.toml index 24a91e7de79..1ee2631d643 100644 --- a/rules/aws/persistence_rds_cluster_creation.toml +++ b/rules/aws/persistence_rds_cluster_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/privilege_escalation_root_login_without_mfa.toml b/rules/aws/privilege_escalation_root_login_without_mfa.toml index ebc84727521..ef2fd886aa6 100644 --- a/rules/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/aws/privilege_escalation_root_login_without_mfa.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"] diff --git a/rules/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/aws/privilege_escalation_updateassumerolepolicy.toml index a947ea78a37..f04cdf023fa 100644 --- a/rules/aws/privilege_escalation_updateassumerolepolicy.toml +++ b/rules/aws/privilege_escalation_updateassumerolepolicy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/28" +updated_date = "2020/09/03" [rule] author = ["Elastic"]