From 0c8a1fcf6d01e3085dc7857263d05334cef1e59e Mon Sep 17 00:00:00 2001
From: Isai <59296946+imays11@users.noreply.github.com>
Date: Wed, 29 Oct 2025 01:03:10 -0400
Subject: [PATCH] [Rule Tuning] AWS S3 Static Site Javascript File Uploaded

This rule is triggering as expected. However, the threat this rule is meant to capture is a potential malicious .js file upload. Currently it is capturing both GetObject (read file) and PutObject (write file) API calls which is adding noise without adding much threat detection value.
- Removed `GetObject` API call from scope, so this rule focuses only on write activity. This reduced  alert telemetry volume by ~73%
- added `event.outcome == success` criteria to exclude failed upload attempts
- corrected `Pulumi` typo in user agent exclusion criteria
- reduced execution window
- added highlighted fields
---
 ...mpact_s3_static_site_js_file_uploaded.toml | 34 ++++++++++++++-----
 1 file changed, 26 insertions(+), 8 deletions(-)

diff --git a/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml b/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml
index d9266c64427..c54d42b1ba9 100644
--- a/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml
+++ b/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml
@@ -2,12 +2,12 @@
 creation_date = "2025/04/15"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/09/25"
+updated_date = "2025/10/28"
 
 [rule]
 author = ["Elastic"]
 description = """
-This rule detects when a JavaScript file is uploaded or accessed in an S3 static site directory (`static/js/`) by an IAM
+This rule detects when a JavaScript file is uploaded in an S3 static site directory (`static/js/`) by an IAM
 user or assumed role. This can indicate suspicious modification of web content hosted on S3, such as injecting malicious
 scripts into a static website frontend.
 """
@@ -17,7 +17,7 @@ false_positives = [
     Verify the user agent, source IP, and whether the modification was expected.
     """,
 ]
-from = "now-9m"
+from = "now-6m"
 language = "esql"
 license = "Elastic License v2"
 name = "AWS S3 Static Site JavaScript File Uploaded"
@@ -73,10 +73,11 @@ query = '''
 from logs-aws.cloudtrail* metadata _id, _version, _index
 
 | where
-    // S3 object read/write activity
+    // S3 object write activity
     event.dataset == "aws.cloudtrail"
     and event.provider == "s3.amazonaws.com"
-    and event.action in ("GetObject", "PutObject")
+    and event.action == "PutObject"
+    and event.outcome == "success"
 
     // IAM users or assumed roles only
     and aws.cloudtrail.user_identity.type in ("IAMUser", "AssumedRole")
@@ -88,7 +89,7 @@ from logs-aws.cloudtrail* metadata _id, _version, _index
     and not (
         user_agent.original like "*Terraform*"
         or user_agent.original like "*Ansible*"
-        or user_agent.original like "*Pulumni*"
+        or user_agent.original like "*Pulumi*"
     )
 
 // Extract fields from request parameters
@@ -127,10 +128,27 @@ id = "T1565.001"
 name = "Stored Data Manipulation"
 reference = "https://attack.mitre.org/techniques/T1565/001/"
 
-
-
 [rule.threat.tactic]
 id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "aws.cloudtrail.resources.arn",
+    "aws.cloudtrail.resources.type",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+    "aws.cloudtrail.response_elements"
+]
+