├── .github └── workflows │ ├── deploy-rules.yml │ └── deploy-trailalerts.yml ├── .gitignore ├── LICENSE ├── README.md ├── images ├── TrailAlerts-Infra.PNG ├── TrailAlerts-VPNAPI.PNG ├── TrailAlerts.png └── features.png ├── rules ├── exceptions.json ├── postprocessing_rules │ └── sample_rules.json └── sigma_rules │ ├── aws_cloudtrail_attachpolicy.yml │ ├── aws_cloudtrail_attachpolicy_tests.json │ ├── aws_cloudtrail_create_iam.yml │ ├── aws_cloudtrail_create_iam_tests.json │ ├── aws_cloudtrail_disable_logging.yml │ ├── aws_cloudtrail_disable_logging_tests.json │ ├── aws_cloudtrail_new_acl_entries.yml │ ├── aws_cloudtrail_new_acl_entries_tests.json │ ├── aws_cloudtrail_new_route_added.yml │ ├── aws_cloudtrail_new_route_added_tests.json │ ├── aws_cloudtrail_puteventselectors.yml │ ├── aws_cloudtrail_puteventselectors_tests.json │ ├── aws_cloudtrail_security_group_change_ingress_egress.yml │ ├── aws_cloudtrail_security_group_change_ingress_egress_tests.json │ ├── aws_cloudtrail_security_group_change_loadbalancer.yml │ ├── aws_cloudtrail_security_group_change_loadbalancer_tests.json │ ├── aws_cloudtrail_security_group_change_rds.yml │ ├── aws_cloudtrail_security_group_change_rds_tests.json │ ├── aws_cloudtrail_ssm_malicious_usage.yml │ ├── aws_cloudtrail_ssm_malicious_usage_tests.json │ ├── aws_config_disable_recording.yml │ ├── aws_config_disable_recording_tests.json │ ├── aws_console_getsignintoken.yml │ ├── aws_console_getsignintoken_tests.json │ ├── aws_delete_identity.yml │ ├── aws_delete_identity_tests.json │ ├── aws_delete_saml_provider.yml │ ├── aws_delete_saml_provider_tests.json │ ├── aws_disable_bucket_versioning.yml │ ├── aws_disable_bucket_versioning_tests.json │ ├── aws_ec2_deleteflowlogs.yml │ ├── aws_ec2_deleteflowlogs_tests.json │ ├── aws_ec2_disable_encryption.yml │ ├── aws_ec2_disable_encryption_tests.json │ ├── aws_ec2_getpassworddate.yml │ ├── aws_ec2_getpassworddate_tests.json │ ├── aws_ec2_import_key_pair_activity.yml │ ├── aws_ec2_import_key_pair_activity_tests.json │ ├── aws_ec2_startup_script_change.yml │ ├── aws_ec2_startup_script_change_tests.json │ ├── aws_efs_fileshare_modified_or_deleted.yml │ ├── aws_efs_fileshare_modified_or_deleted_tests.json │ ├── aws_efs_fileshare_mount_modified_or_deleted.yml │ ├── aws_efs_fileshare_mount_modified_or_deleted_tests.json │ ├── aws_eks_cluster_created_or_deleted.yml │ ├── aws_eks_cluster_created_or_deleted_tests.json │ ├── aws_elasticache_security_group_created.yml │ ├── aws_elasticache_security_group_created_tests.json │ ├── aws_elasticache_security_group_modified_or_deleted.yml │ ├── aws_elasticache_security_group_modified_or_deleted_tests.json │ ├── aws_enum_buckets.yml │ ├── aws_enum_buckets_tests.json │ ├── aws_guardduty_disruption.yml │ ├── aws_guardduty_disruption_tests.json │ ├── aws_iam_backdoor_users_keys.yml │ ├── aws_iam_backdoor_users_keys_tests.json │ ├── aws_iam_s3browser_loginprofile_creation.yml │ ├── aws_iam_s3browser_loginprofile_creation_tests.json │ ├── aws_iam_s3browser_user_or_accesskey_creation.yml │ ├── aws_iam_s3browser_user_or_accesskey_creation_tests.json │ ├── aws_lambda_function_url.yml │ ├── aws_lambda_function_url_tests.json │ ├── aws_new_lambda_layer_attached.yml │ ├── aws_new_lambda_layer_attached_tests.json │ ├── aws_organizations_leaveorganization.yml │ ├── aws_organizations_leaveorganization_tests.json │ ├── aws_passed_role_to_glue_development_endpoint.yml │ ├── aws_passed_role_to_glue_development_endpoint_tests.json │ ├── aws_rds_change_master_password.yml │ ├── aws_rds_change_master_password_tests.json │ ├── aws_rds_dbcluster_actions.yml │ ├── aws_rds_dbcluster_actions_tests.json │ ├── aws_rds_public_db_restore.yml │ ├── aws_rds_public_db_restore_tests.json │ ├── aws_root_account_usage.yml │ ├── aws_root_account_usage_tests.json │ ├── aws_route53resolver_deleteresolver.yml │ ├── aws_route53resolver_deleteresolver_tests.json │ ├── aws_route_53_domain_transferred_lock_disabled.yml │ ├── aws_route_53_domain_transferred_lock_disabled_tests.json │ ├── aws_route_53_domain_transferred_to_another_account.yml │ ├── aws_route_53_domain_transferred_to_another_account_tests.json │ ├── aws_s3_data_management_tampering.yml │ ├── aws_s3_data_management_tampering_tests.json │ ├── aws_s3_lifecycle.yml │ ├── aws_s3_lifecycle_tests.json │ ├── aws_secretsmanager_batchgetsecretvalue.yml │ ├── aws_secretsmanager_batchgetsecretvalue_tests.json │ ├── aws_secretsmanager_getsecrets.yml │ ├── aws_secretsmanager_getsecrets_tests.json │ ├── aws_securityhub_finding_evasion.yml │ ├── aws_securityhub_finding_evasion_tests.json │ ├── aws_snapshot_backup_exfiltration.yml │ ├── aws_snapshot_backup_exfiltration_tests.json │ ├── aws_ssm_ssmgetparameter.yml │ ├── aws_ssm_ssmgetparameter_tests.json │ ├── aws_sso_idp_change.yml │ ├── aws_sso_idp_change_tests.json │ ├── aws_sts_getsessiontoken_misuse.yml │ ├── aws_sts_getsessiontoken_misuse_tests.json │ ├── aws_susp_saml_activity.yml │ ├── aws_susp_saml_activity_tests.json │ ├── aws_update_login_profile.yml │ └── aws_update_login_profile_tests.json ├── terraform ├── main.tf ├── migrate.tf ├── terraform.tfvars.json └── variables.tf └── utils ├── generate_rule_example.py └── github_oidc.tf /.github/workflows/deploy-rules.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/.github/workflows/deploy-rules.yml -------------------------------------------------------------------------------- /.github/workflows/deploy-trailalerts.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/.github/workflows/deploy-trailalerts.yml -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/.gitignore -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/LICENSE -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/README.md -------------------------------------------------------------------------------- /images/TrailAlerts-Infra.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/images/TrailAlerts-Infra.PNG -------------------------------------------------------------------------------- /images/TrailAlerts-VPNAPI.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/images/TrailAlerts-VPNAPI.PNG -------------------------------------------------------------------------------- /images/TrailAlerts.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/images/TrailAlerts.png -------------------------------------------------------------------------------- /images/features.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/images/features.png -------------------------------------------------------------------------------- /rules/exceptions.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/exceptions.json -------------------------------------------------------------------------------- /rules/postprocessing_rules/sample_rules.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/postprocessing_rules/sample_rules.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_attachpolicy.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_cloudtrail_attachpolicy.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_attachpolicy_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_cloudtrail_attachpolicy_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_create_iam.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_cloudtrail_create_iam.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_create_iam_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_cloudtrail_create_iam_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_disable_logging.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_cloudtrail_disable_logging.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_disable_logging_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_cloudtrail_disable_logging_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_new_acl_entries.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_cloudtrail_new_acl_entries.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_new_acl_entries_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_cloudtrail_new_acl_entries_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_new_route_added.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_cloudtrail_new_route_added.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_new_route_added_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_cloudtrail_new_route_added_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_puteventselectors.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_cloudtrail_puteventselectors.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_puteventselectors_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_cloudtrail_puteventselectors_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_security_group_change_ingress_egress.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_cloudtrail_security_group_change_ingress_egress.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_security_group_change_ingress_egress_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_cloudtrail_security_group_change_ingress_egress_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_security_group_change_loadbalancer.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_cloudtrail_security_group_change_loadbalancer.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_security_group_change_loadbalancer_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_cloudtrail_security_group_change_loadbalancer_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_security_group_change_rds.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_cloudtrail_security_group_change_rds.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_security_group_change_rds_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_cloudtrail_security_group_change_rds_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_ssm_malicious_usage.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_cloudtrail_ssm_malicious_usage.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_cloudtrail_ssm_malicious_usage_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_cloudtrail_ssm_malicious_usage_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_config_disable_recording.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_config_disable_recording.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_config_disable_recording_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_config_disable_recording_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_console_getsignintoken.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_console_getsignintoken.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_console_getsignintoken_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_console_getsignintoken_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_delete_identity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_delete_identity.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_delete_identity_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_delete_identity_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_delete_saml_provider.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_delete_saml_provider.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_delete_saml_provider_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_delete_saml_provider_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_disable_bucket_versioning.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_disable_bucket_versioning.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_disable_bucket_versioning_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_disable_bucket_versioning_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_ec2_deleteflowlogs.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_ec2_deleteflowlogs.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_ec2_deleteflowlogs_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_ec2_deleteflowlogs_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_ec2_disable_encryption.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_ec2_disable_encryption.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_ec2_disable_encryption_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_ec2_disable_encryption_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_ec2_getpassworddate.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_ec2_getpassworddate.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_ec2_getpassworddate_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_ec2_getpassworddate_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_ec2_import_key_pair_activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_ec2_import_key_pair_activity.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_ec2_import_key_pair_activity_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_ec2_import_key_pair_activity_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_ec2_startup_script_change.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_ec2_startup_script_change.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_ec2_startup_script_change_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_ec2_startup_script_change_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_efs_fileshare_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_efs_fileshare_modified_or_deleted.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_efs_fileshare_modified_or_deleted_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_efs_fileshare_modified_or_deleted_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_efs_fileshare_mount_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_efs_fileshare_mount_modified_or_deleted.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_efs_fileshare_mount_modified_or_deleted_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_efs_fileshare_mount_modified_or_deleted_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_eks_cluster_created_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_eks_cluster_created_or_deleted.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_eks_cluster_created_or_deleted_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_eks_cluster_created_or_deleted_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_elasticache_security_group_created.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_elasticache_security_group_created.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_elasticache_security_group_created_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_elasticache_security_group_created_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_elasticache_security_group_modified_or_deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_elasticache_security_group_modified_or_deleted.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_elasticache_security_group_modified_or_deleted_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_elasticache_security_group_modified_or_deleted_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_enum_buckets.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_enum_buckets.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_enum_buckets_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_enum_buckets_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_guardduty_disruption.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_guardduty_disruption.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_guardduty_disruption_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_guardduty_disruption_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_iam_backdoor_users_keys.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_iam_backdoor_users_keys.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_iam_backdoor_users_keys_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_iam_backdoor_users_keys_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_iam_s3browser_loginprofile_creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_iam_s3browser_loginprofile_creation.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_iam_s3browser_loginprofile_creation_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_iam_s3browser_loginprofile_creation_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_iam_s3browser_user_or_accesskey_creation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_iam_s3browser_user_or_accesskey_creation.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_iam_s3browser_user_or_accesskey_creation_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_iam_s3browser_user_or_accesskey_creation_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_lambda_function_url.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_lambda_function_url.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_lambda_function_url_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_lambda_function_url_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_new_lambda_layer_attached.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_new_lambda_layer_attached.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_new_lambda_layer_attached_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_new_lambda_layer_attached_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_organizations_leaveorganization.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_organizations_leaveorganization.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_organizations_leaveorganization_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_organizations_leaveorganization_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_passed_role_to_glue_development_endpoint.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_passed_role_to_glue_development_endpoint.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_passed_role_to_glue_development_endpoint_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_passed_role_to_glue_development_endpoint_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_rds_change_master_password.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_rds_change_master_password.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_rds_change_master_password_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_rds_change_master_password_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_rds_dbcluster_actions.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_rds_dbcluster_actions.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_rds_dbcluster_actions_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_rds_dbcluster_actions_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_rds_public_db_restore.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_rds_public_db_restore.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_rds_public_db_restore_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_rds_public_db_restore_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_root_account_usage.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_root_account_usage.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_root_account_usage_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_root_account_usage_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_route53resolver_deleteresolver.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_route53resolver_deleteresolver.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_route53resolver_deleteresolver_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_route53resolver_deleteresolver_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_route_53_domain_transferred_lock_disabled.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_route_53_domain_transferred_lock_disabled.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_route_53_domain_transferred_lock_disabled_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_route_53_domain_transferred_lock_disabled_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_route_53_domain_transferred_to_another_account.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_route_53_domain_transferred_to_another_account.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_route_53_domain_transferred_to_another_account_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_route_53_domain_transferred_to_another_account_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_s3_data_management_tampering.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_s3_data_management_tampering.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_s3_data_management_tampering_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_s3_data_management_tampering_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_s3_lifecycle.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_s3_lifecycle.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_s3_lifecycle_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_s3_lifecycle_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_secretsmanager_batchgetsecretvalue.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_secretsmanager_batchgetsecretvalue.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_secretsmanager_batchgetsecretvalue_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_secretsmanager_batchgetsecretvalue_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_secretsmanager_getsecrets.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_secretsmanager_getsecrets.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_secretsmanager_getsecrets_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_secretsmanager_getsecrets_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_securityhub_finding_evasion.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_securityhub_finding_evasion.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_securityhub_finding_evasion_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_securityhub_finding_evasion_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_snapshot_backup_exfiltration.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_snapshot_backup_exfiltration.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_snapshot_backup_exfiltration_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_snapshot_backup_exfiltration_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_ssm_ssmgetparameter.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_ssm_ssmgetparameter.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_ssm_ssmgetparameter_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_ssm_ssmgetparameter_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_sso_idp_change.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_sso_idp_change.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_sso_idp_change_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_sso_idp_change_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_sts_getsessiontoken_misuse.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_sts_getsessiontoken_misuse.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_sts_getsessiontoken_misuse_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_sts_getsessiontoken_misuse_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_susp_saml_activity.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_susp_saml_activity.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_susp_saml_activity_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_susp_saml_activity_tests.json -------------------------------------------------------------------------------- /rules/sigma_rules/aws_update_login_profile.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_update_login_profile.yml -------------------------------------------------------------------------------- /rules/sigma_rules/aws_update_login_profile_tests.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/rules/sigma_rules/aws_update_login_profile_tests.json -------------------------------------------------------------------------------- /terraform/main.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/terraform/main.tf -------------------------------------------------------------------------------- /terraform/migrate.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/terraform/migrate.tf -------------------------------------------------------------------------------- /terraform/terraform.tfvars.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/terraform/terraform.tfvars.json -------------------------------------------------------------------------------- /terraform/variables.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/terraform/variables.tf -------------------------------------------------------------------------------- /utils/generate_rule_example.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/utils/generate_rule_example.py -------------------------------------------------------------------------------- /utils/github_oidc.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adanalvarez/TrailAlerts/HEAD/utils/github_oidc.tf --------------------------------------------------------------------------------