Flooding with AWS Config service

[druizz90]

Hi team,

A user reported that AWS Config is flooding the alert.json file. I can check that a lot of events are repeated:

I think that we could set ignore attribute in rules to avoid firing alerts.

I made some tests after adding this rules in local_rules.xml and it seems that works:

<group name="aws_config">

    <rule id="80450" level="0" overwrite="yes" ignore="3600">
        <if_sid>80200</if_sid>
        <field name="aws.source">config</field>
        <description>AWS Config alert.</description>
        <group>aws_config,</group>
        <options>no_full_log</options>
    </rule>

    <!-- ConfigHistory vs ConfigSnapshot -->
    <rule id="80451" level="0" overwrite="yes" ignore="3600">
        <if_sid>80450</if_sid>
        <field name="aws.log_info.log_file">\.+ConfigHistory</field>
        <description>AWS Config - History</description>
        <group>aws_config,aws_config_history,</group>
        <options>no_full_log</options>
    </rule>

    <rule id="80452" level="0" overwrite="yes" ignore="3600">
        <if_sid>80450</if_sid>
        <field name="aws.log_info.log_file">\.+ConfigSnapshot</field>
        <description>AWS Config - Snapshot</description>
        <group>aws_config,aws_config_snapshot,</group>
        <options>no_full_log</options>
    </rule>

    <!-- Config history -->
    <rule id="80453" level="3" overwrite="yes" ignore="3600">
        <if_sid>80451</if_sid>
        <description>AWS Config - History [$(aws.awsAccountId) $(aws.awsRegion)] [$(aws.resourceType)]: $(aws.resourceId) ($(aws.configurationItemStatus))</description>
        <group>aws_config,aws_config_history,</group>
        <options>no_full_log</options>
    </rule>

    <rule id="80454" level="0" ignore="3600">
        <if_sid>80451</if_sid>
        <field name="aws.configurationItemStatus">OK</field>
        <description>AWS Config - History [$(aws.awsAccountId) $(aws.awsRegion)] [$(aws.resourceType)]: $(aws.resourceId) ($(aws.configurationItemStatus))</description>
        <group>aws_config,aws_config_history,</group>
        <options>no_full_log</options>
    </rule>

    <!-- Config Snapshot -->
    <rule id="80475" level="3" overwrite="yes" ignore="3600">
        <if_sid>80452</if_sid>
        <description>AWS Config - Snapshot [$(aws.awsAccountId) $(aws.awsRegion)] [$(aws.resourceType)]: $(aws.resourceId) ($(aws.configurationItemStatus))</description>
        <group>aws_config,aws_config_snapshot,</group>
        <options>no_full_log</options>
    </rule>

    <rule id="80476" level="6" overwrite="yes" ignore="3600">
        <if_sid>80475</if_sid>
        <field name="aws.configuration.complianceType">\.+</field>
        <description>AWS Config - Snapshot Compliance [$(aws.awsAccountId) $(aws.awsRegion)] [$(aws.resourceType)] [$(aws.configuration.configRuleList.configRuleName)]: $(aws.resourceId) ($(aws.configurationItemStatus)) $(aws.configuration.complianceType)</description>
        <group>aws_config,aws_config_snapshot,aws_config_snapshot_compliance,</group>
        <options>no_full_log</options>
    </rule>
</group>

Anyway, we should study the AWS Config alerts for improving the rules.

Best regards,

Demetrio.

[MiguelCasaresRobles]

Hi team,

Closing this issue since we made a PR to solve this here: wazuh/wazuh-ruleset#775

Regards,

Miguel Casares