Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible bug in rule: "AWS Activity In New Region" #343

Closed
tdziwok opened this issue Feb 3, 2020 · 5 comments
Closed

Possible bug in rule: "AWS Activity In New Region" #343

tdziwok opened this issue Feb 3, 2020 · 5 comments

Comments

@tdziwok
Copy link

tdziwok commented Feb 3, 2020

Hi ESCU Team,

I think there may have been an inadvertent bug introduced in: f9bdf7e

The rule from detections/aws_activity_in_new_region.yml no longer runs in Splunk, as | convert security_content_ctime(earliest) security_content_ctime(latest) is not a valid usage of the convert command.

I am guessing that this is an instance where sed or another replacing tool caught some "real" ctime invocations while looking for instances of the old macro name.

Thanks,
Tomasz

@josehelps
Copy link
Collaborator

It definetly looks to be the case @tdziwok, thank you for pointing this out! We will work on a PR to get it fixed up. If you did any changes to the search it would be great if you could shared it as an example fix 😄

josehelps added a commit that referenced this issue Feb 3, 2020
@josehelps
Copy link
Collaborator

Hey added a PR to fix this #345 should be fixed in the next release.

@tdziwok
Copy link
Author

tdziwok commented Feb 4, 2020

Hi @d1vious,

Thanks for looking into this so quickly.
The fix you applied is exactly what I had used; sorry for not sharing it earlier :).

I believe I have found one more instance of the same issue by using:

grep  -irE '([^`]|^)security_content_ctime' ./detections/

./detections/ec2_instance_started_with_previously_unseen_instance_type.yml has the same exact pattern and needs the same exact fix.

Thanks for your help, and keep up the awesome work!

Thanks,
Tomasz

@josehelps josehelps reopened this Feb 5, 2020
@josehelps
Copy link
Collaborator

@tdziwok thank you for sharing this one too, re-opened the issue for now. I will make another PR to solve this one.

@josehelps
Copy link
Collaborator

@tdziwok added another PR in there to include this search. Thank you again for catching this error!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants