From 8a239f54c8b164adb9ea4d220fff424cf20cd96a Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Mon, 3 Feb 2025 22:36:35 +0530 Subject: [PATCH] Fix remaining Replace master doc URLs with current --- .../aws/discovery_ec2_userdata_request_for_ec2_instance.toml | 4 ++-- .../aws/persistence_ec2_route_table_modified_or_deleted.toml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml b/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml index 885ad2bc938..cce98b725f5 100644 --- a/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml +++ b/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/14" integration = ["aws"] maturity = "production" -updated_date = "2025/01/27" +updated_date = "2025/02/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies discovery request `DescribeInstanceAttribute` with the attribute userData and instanceId in AWS CloudTrail logs. This may indicate an attempt to retrieve user data from an EC2 instance. Adversaries may use this information to gather sensitive data from the instance such as hardcoded credentials or to identify potential vulnerabilities. This is -a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule that +a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that identifies when `aws.cloudtrail.user_identity.arn` requests the user data for a specific `aws.cloudtrail.flattened.request_parameters.instanceId` from an EC2 instance in the last 14 days. """ diff --git a/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml index fa1fada775b..8eb0fd3abff 100644 --- a/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml +++ b/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -updated_date = "2025/01/27" +updated_date = "2025/02/03" [rule] author = ["Elastic", "Austin Songer"] @@ -10,7 +10,7 @@ description = """ Identifies AWS CloudTrail events where an EC2 route table or association has been modified or deleted. Route table or association modifications can be used by attackers to disrupt network traffic, reroute communications, or maintain persistence in a compromised environment. This is a [New -Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule that detects the +Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that detects the first instance of this behavior by the `aws.cloudtrail.user_identity.arn` field in the last 10 days. """ false_positives = [