Merge pull request #775 from wazuh/bin-confighistory

Update 0350-amazon_rules.xml
wazuh · Nov 11, 2020 · bc2ffab · bc2ffab
2 parents caf4ddc + 3bc550f
commit bc2ffab
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,8 @@ All notable changes to this project will be documented in this file.
 ### Added
 
 - Let the Ruleset update tool to bypass the version check with the force option. ([#773](https://github.com/wazuh/wazuh-ruleset/pull/773))
+- Added new AWS Config-History rules to make it more granular by including every item status supported ([#775](https://github.com/wazuh/wazuh-ruleset/pull/775))
+
 
 
 ## [v4.0.1]

diff --git a/rules/0350-amazon_rules.xml b/rules/0350-amazon_rules.xml
@@ -300,12 +300,45 @@ ID: 80200 - 80499
     </rule>
 
     <!-- Config history -->
-    <rule id="80453" level="3">
+    <rule id="80453" level="0">
         <if_sid>80451</if_sid>
+        <field name="aws.configurationItemStatus">OK</field>
         <description>AWS Config - History [$(aws.awsAccountId) $(aws.awsRegion)] [$(aws.resourceType)]: $(aws.resourceId) ($(aws.configurationItemStatus))</description>
         <group>aws_config,aws_config_history,</group>
         <options>no_full_log</options>
     </rule>
+
+    <rule id="80454" level="3">
+        <if_sid>80451</if_sid>
+        <field name="aws.configurationItemStatus">ResourceDiscovered</field>
+        <description>The resource was newly discovered. AWS Config - History:  [$(aws.awsAccountId) $(aws.awsRegion)] [$(aws.resourceType)]: $(aws.resourceId) ($(aws.configurationItemStatus))</description>
+        <group>aws_config,aws_config_history,</group>
+        <options>no_full_log</options>
+    </rule>
+
+    <rule id="80455" level="3">
+        <if_sid>80451</if_sid>
+        <field name="aws.configurationItemStatus">ResourceNotRecorded</field>
+        <description>The resource was discovered but its configuration was not recorded since the recorder excludes the recording of resources of this type. AWS Config - History:  [$(aws.awsAccountId) $(aws.awsRegion)] [$(aws.resourceType)]: $(aws.resourceId) ($(aws.configurationItemStatus))</description>
+        <group>aws_config,aws_config_history,</group>
+        <options>no_full_log</options>
+    </rule>
+
+    <rule id="80456" level="3">
+        <if_sid>80451</if_sid>
+        <field name="aws.configurationItemStatus">ResourceDeleted</field>
+        <description>The resource was deleted. AWS Config - History:  [$(aws.awsAccountId) $(aws.awsRegion)] [$(aws.resourceType)]: $(aws.resourceId) ($(aws.configurationItemStatus))</description>
+        <group>aws_config,aws_config_history,</group>
+        <options>no_full_log</options>
+    </rule>
+
+    <rule id="80457" level="3">
+        <if_sid>80451</if_sid>
+        <field name="aws.configurationItemStatus">ResourceDeletedNotRecorded</field>
+        <description>The resource was deleted but its configuration was not recorded since the recorder excludes the recording of resources of this type. AWS Config - History:  [$(aws.awsAccountId) $(aws.awsRegion)] [$(aws.resourceType)]: $(aws.resourceId) ($(aws.configurationItemStatus))</description>
+        <group>aws_config,aws_config_history,</group>
+        <options>no_full_log</options>
+    </rule> 
 
     <!-- Config Snapshot -->
     <rule id="80475" level="3">