Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_new_rules #5021

Open
wants to merge 14 commits into
base: master
Choose a base branch
from
Open

aws_new_rules #5021

wants to merge 14 commits into from
+142 −0

Conversation

saakovv
Copy link

@saakovv saakovv commented Sep 21, 2024

Summary of the Pull Request

Changelog

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added the Rules label Sep 21, 2024
nasbench
nasbench requested changes Sep 22, 2024
View reviewed changes
Copy link
Member

@nasbench nasbench left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please provide log example in order for me to verify the logic of the rules.

rules/cloud/aws/cloudtrail/aws_cloudtrail_console_login_failure.yml Outdated Show resolved Hide resolved
rules/cloud/aws/cloudtrail/aws_cloudtrail_console_login_failure.yml Outdated Show resolved Hide resolved
rules/cloud/aws/cloudtrail/aws_cloudtrail_console_susp_login.yml Outdated Show resolved Hide resolved
@nasbench nasbench added Work In Progress Some changes are needed Author Input Required changes the require information from original author of the rules labels Sep 22, 2024
@nasbench nasbench marked this pull request as draft September 22, 2024 17:39
@saakovv
Copy link
Author

saakovv commented Sep 22, 2024
edited
Loading

Please provide log example in order for me to verify the logic of the rules.

In AWS logs, "eventName" and "status" fields are mainly used to detect events.

Events can be found here (for example):
https://docs.aws.amazon.com/
https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Operations.html
https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html

Some alerts may be developed for preventive detection and it is not always possible to quickly find logs at hand.
I have attached some logs for example (unpersonalized)
aws_cloudtrail_delete_bucket.yml.json
aws_cloudtrail_console_login_without_mfa.yml.json
aws_cloudtrail_console_login_failure.yml.json.json

@saakovv saakovv marked this pull request as ready for review September 30, 2024 10:58
@saakovv
Copy link
Author

saakovv commented Oct 19, 2024

Hi!
@nasbench , any updates on this review? do you need anything else from me?

@nasbench
Copy link
Member

In progress :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nasbench nasbench Awaiting requested review from nasbench

Assignees
No one assigned
Labels
Author Input Required changes the require information from original author of the rules Rules Work In Progress Some changes are needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@saakovv @nasbench