Isai
Isai
Rule tuning for AWS STS Temporary IAM Session Token Used from Multiple Addresses # Pull Request *Issue link(s)*: - https://github.com/elastic/ia-trade-team/issues/616 Additional Context from Initial ByBit threat research this rule was...
### Link to Rule https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml ### Description This rule is very broad, capturing any time an EC2 instance snapshot's permission settings are modified via the [ModifySnapshotAtrribute](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html) API. This could be...
# Pull Request *Issue link(s)*: - https://github.com/elastic/ia-trade-team/issues/616 ## Summary - What I changed All of these RDS rules are triggering as expected. Only AWS RDS Snapshot Deleted had clear false...
# Pull Request *Issue link(s)*: - https://github.com/elastic/ia-trade-team/issues/616 ## Summary - What I changed `CreateCluster` is a common Redshift lifecycle operation that occurs frequently in normal workflows. This rule aligns more...
# Pull Request *Issue link(s)*: - https://github.com/elastic/ia-trade-team/issues/616 ## Summary - What I changed `DeleteFileSystem` permanently removes an Amazon EFS file system and all stored data. This operation has no recovery...
# Pull Request *Issue link(s)*: - https://github.com/elastic/ia-trade-team/issues/616 ### _Update 11.25_ I've added some group by fields for the `threshold.value` parameter [`cloud.account.id`, `user.name`, `source.ip`]. This reduces impact from a known bug
# Pull Request *Issue link(s)*: - https://github.com/elastic/ia-trade-team/issues/616 ## Summary - What I changed ***AWS EC2 Multi-Region DescribeInstances API Calls*** Over 2,000 alerts in the last 24 hours. This is a...
#### Related SDH Ticket: - https://github.com/elastic/sdh-protections/issues/645 ----- ### Primary Issue As part of our initiative to improve prebuilt rules compatibility with 3rd party EDR integrations, 210 detection rules were mistakenly...