From 83743bbaede3ddd1988e8d2fa9ba1d930811c1ef Mon Sep 17 00:00:00 2001
From: Isai <59296946+imays11@users.noreply.github.com>
Date: Mon, 8 Sep 2025 14:01:29 -0400
Subject: [PATCH 1/2] [Rule Tunings] AWS DynamoDB new terms Rules

### AWS DynamoDB Scan by Unusual User
- changed new terms field to use cloud.account.id and user.name combination to account for roles and users
- reduced execution window
- reduced history window
- small edits to description, IG and highlighted fields

### AWS DynamoDB Table Exported to S3
- removed inaccurate setup notes
- reduced history window
- small edits to description and highlighted fields
---
 ...tration_dynamodb_scan_by_unusual_user.toml | 27 ++++++++++---------
 ...tration_dynamodb_table_exported_to_s3.toml | 12 ++++-----
 2 files changed, 20 insertions(+), 19 deletions(-)

diff --git a/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml b/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml
index 7e70a66ba4f..928d7e111c5 100644
--- a/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml
+++ b/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/03/13"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/03/13"
+updated_date = "2025/09/08"
 
 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 Identifies when an AWS DynamoDB table is scanned by a user who does not typically perform this action. Adversaries may
 use the Scan operation to collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects
 unusual user activity by monitoring for the Scan action in CloudTrail logs. This is a New Terms rule that only flags
-when this behavior is observed by the `aws.cloudtrail.user_identity.arn` for the first time in the last 14 days.
+when this behavior is observed by the user.name for the first time.
 """
 false_positives = [
     """
@@ -18,7 +18,7 @@ false_positives = [
     Ensure that the user has the necessary permissions and that the Scan operation is authorized before taking action.
     """,
 ]
-from = "now-9m"
+from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 language = "kuery"
 license = "Elastic License v2"
@@ -29,12 +29,12 @@ note = """## Triage and analysis
 
 This rule identifies when an AWS DynamoDB table is scanned by a user who does not typically perform this action. Adversaries may use the Scan operation to collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects unusual user activity by monitoring for the Scan action in CloudTrail logs.
 
-This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that only flags when this behavior is observed for the first time on a host in the last 14 days.
+This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that only flags when this behavior is observed for the first time.
 
 #### Possible Investigation Steps
 
 - Identify the Actor: Review the `aws.cloudtrail.user_identity.arn` field to identify the user who requested the subscription. Verify if this actor typically performs such actions and has the necessary permissions. It may be unusual for this activity to originate from certain user types, such as an assumed role or federated user.
-- Review the Source IP: Check the `source.address` field to determine the source of the request. If the request comes from an unexpected location or IP address, it may indicate a compromised account or unauthorized access.
+- Review the Source IP: Check the `source.ip` field to determine the source of the request. If the request comes from an unexpected location or IP address, it may indicate a compromised account or unauthorized access.
 - Analyze the Request Parameters: Examine the `aws.cloudtrail.request_parameters` field to understand the details of the Scan request. Look for any unusual parameters or patterns that may indicate malicious intent. This also details the DynamoDB table being scanned.
 - Review Access Key: Check the `aws.cloudtrail.user_identity.access_key_id` field to identify the access key used for the request. Determine if this key is associated with a legitimate user or if it has been compromised.
 
@@ -53,7 +53,7 @@ This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-
 
 ### Additional Information
 
-For further guidance on managing and securing SNS topics in AWS environments, refer to the [AWS SNS documentation](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/security.html) and AWS best practices for security.
+For further guidance on managing and securing DynamoDB in AWS environments, refer to the [AWS DynamoDB documentation](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/security.html) and AWS best practices for security.
 """
 references = ["https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Scan.html"]
 risk_score = 21
@@ -109,24 +109,25 @@ reference = "https://attack.mitre.org/tactics/TA0009/"
 field_names = [
     "@timestamp",
     "user.name",
-    "source.address",
+    "user_agent.original",
+    "source.ip",
     "aws.cloudtrail.user_identity.arn",
     "aws.cloudtrail.user_identity.type",
     "aws.cloudtrail.user_identity.access_key_id",
-    "user_agent.original",
+    "aws.cloudtrail.resources.arn",     
+    "aws.cloudtrail.resources.type",   
     "event.action",
     "event.outcome",
+    "cloud.account.id",
     "cloud.region",
-    "aws.cloudtrail.flattened.request_parameters.tableName",
-    "aws.cloudtrail.flattened.response_elements.subscriptionArn",
-    "aws.cloudtrail.request_parameters",
+    "aws.cloudtrail.request_parameters"
 ]
 
 [rule.new_terms]
 field = "new_terms_fields"
-value = ["aws.cloudtrail.user_identity.arn"]
+value = ["cloud.account.id", "user.name"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-14d"
+value = "now-10d"
 
 
diff --git a/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml b/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml
index 421a5e865ea..0a754de1518 100644
--- a/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml
+++ b/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml
@@ -2,12 +2,12 @@
 creation_date = "2025/03/13"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/07/10"
+updated_date = "2025/09/08"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies when an AWS DynamoDB table is exported to S3. Adversaries may use the ExportTableToPointInTime operation to collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects unusual user activity by monitoring for the ExportTableToPointInTime action in CloudTrail logs. This is a New Terms rule that only flags when this behavior is observed by the "user.name" for the first time.
+Identifies when an AWS DynamoDB table is exported to S3. Adversaries may use the ExportTableToPointInTime operation to collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects unusual user activity by monitoring for the ExportTableToPointInTime action in CloudTrail logs. This is a New Terms rule that only flags when this behavior is observed by the user.name for the first time.
 """
 false_positives = [
     """
@@ -50,7 +50,6 @@ For further guidance on managing and securing DynamoDB in AWS environments, refe
 references = ["https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_ExportTableToPointInTime.html"]
 risk_score = 21
 rule_id = "e8ea6f58-0040-11f0-a243-f661ea17fbcd"
-setup = "DynamoDB data events must be enabled in CloudTrail to capture the ExportTableToPointInTime actions. Ensure that the AWS CloudTrail service is configured to log data events for DynamoDB tables."
 severity = "low"
 tags = [
     "Domain: Cloud",
@@ -99,12 +98,13 @@ field_names = [
     "aws.cloudtrail.user_identity.arn",
     "aws.cloudtrail.user_identity.type",
     "aws.cloudtrail.user_identity.access_key_id",
+    "aws.cloudtrail.resources.arn",     
+    "aws.cloudtrail.resources.type",   
     "event.action",
     "event.outcome",
     "cloud.account.id",
     "cloud.region",
-    "aws.cloudtrail.request_parameters",
-    "aws.cloudtrail.response_elements"
+    "aws.cloudtrail.request_parameters"
 ]
 
 [rule.new_terms]
@@ -112,4 +112,4 @@ field = "new_terms_fields"
 value = ["cloud.account.id", "user.name"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-14d"
+value = "now-10d"

From ca07230c746931ade8bddc8bb464bd0476f79da0 Mon Sep 17 00:00:00 2001
From: Isai <59296946+imays11@users.noreply.github.com>
Date: Thu, 11 Sep 2025 16:47:59 -0400
Subject: [PATCH 2/2] Apply suggestions from code review

---
 .../aws/exfiltration_dynamodb_scan_by_unusual_user.toml         | 2 +-
 .../aws/exfiltration_dynamodb_table_exported_to_s3.toml         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml b/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml
index 928d7e111c5..d54fc7697a2 100644
--- a/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml
+++ b/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml
@@ -10,7 +10,7 @@ description = """
 Identifies when an AWS DynamoDB table is scanned by a user who does not typically perform this action. Adversaries may
 use the Scan operation to collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects
 unusual user activity by monitoring for the Scan action in CloudTrail logs. This is a New Terms rule that only flags
-when this behavior is observed by the user.name for the first time.
+when this behavior is observed by a user or role for the first time.
 """
 false_positives = [
     """
diff --git a/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml b/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml
index 0a754de1518..5dd56b0f32d 100644
--- a/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml
+++ b/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml
@@ -7,7 +7,7 @@ updated_date = "2025/09/08"
 [rule]
 author = ["Elastic"]
 description = """
-Identifies when an AWS DynamoDB table is exported to S3. Adversaries may use the ExportTableToPointInTime operation to collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects unusual user activity by monitoring for the ExportTableToPointInTime action in CloudTrail logs. This is a New Terms rule that only flags when this behavior is observed by the user.name for the first time.
+Identifies when an AWS DynamoDB table is exported to S3. Adversaries may use the ExportTableToPointInTime operation to collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects unusual user activity by monitoring for the ExportTableToPointInTime action in CloudTrail logs. This is a New Terms rule that only flags when this behavior is observed by a user or role for the first time.
 """
 false_positives = [
     """