[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules #4892
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This PR is in part a response to the following issues regarding the future of flattened fields in AWS, which we use as an essential part of our ruleset. However, this is also in response to the ongoing ruleset audit. Some of the flattened fields used are not truly necessary for the alert to trigger or can be replaced by a different field. Those changes have been made here and our non_ecs file has been edited to remove the unnecessary fields. Additionally, flattened fields have been removed from highlighted fields, and from investigation guides.
add necessary field for ModifyInstanceAttribute action
…toml added missing event.action AuthorizeSecurityGroupIngress, narrowed scope for ModifyInstanceAttribute action by adding a necessary flattened_field
…ole.toml updated min_stack_version for new field target.entity.id
updating min_stack to account of target.entity.id field
adding highlighted fields
imays11
added
Integration: AWS
Rule: Tuning - GuidelinesThese guidelines serve as a reminder set of considerations when tuning an existing rule. Documentation and Context
Rule Metadata Checks
Testing and Validation
|
imays11
requested review from
Mikaayenson,
w0rk3r,
Aegrah,
shashank-elastic and
terrancedejesus
Aegrah
approved these changes
Jul 14, 2025
rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml
Outdated
Show resolved
Hide resolved
rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml
Outdated
Show resolved
Hide resolved
rules/integrations/aws/impact_s3_excessive_object_encryption_with_sse_c.toml
Outdated
Show resolved
Hide resolved
| extort the bucket owner for the decryption key. This is a [New | ||
| Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that flags when | ||
| this behavior is observed for the first time in the last 14 days by the user ARN and target bucket name. | ||
| Identifies when AWS S3 objects stored in a bucket are encrypted using Server-Side Encryption with Customer-Provided Keys (SSE-C). Adversaries with compromised AWS credentials can encrypt objects in an S3 bucket using their own encryption keys, rendering the objects unreadable or recoverable without the key. This can be used as a form of ransomware to extort the bucket owner for the decryption key. This is a New Terms rule that flags when this behavior is observed for the first time user and target bucket name. |
There was a problem hiding this comment.
is the target bucket the tls.client.server_name field in the new_terms set?
rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml
Outdated
Show resolved
Hide resolved
rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml
Outdated
Show resolved
Hide resolved
| @@ -125,7 +126,7 @@ reference = "https://attack.mitre.org/tactics/TA0004/" | |||
|
|
|||
| [rule.new_terms] | |||
| field = "new_terms_fields" | |||
| value = ["cloud.account.id", "user.name", "aws.cloudtrail.flattened.request_parameters.roleName"] | |||
| value = ["cloud.account.id", "user.name", "target.entity.id"] | |||
There was a problem hiding this comment.
target.entity.id can be MV IIRC? Do we know if values are susceptible to change, causing unexpected events?
There was a problem hiding this comment.
@terrancedejesus MV?
| @@ -73,7 +68,7 @@ query = ''' | |||
| event.dataset: "aws.cloudtrail" | |||
| and event.provider: "dynamodb.amazonaws.com" | |||
| and event.action: "ExportTableToPointInTime" | |||
| and aws.cloudtrail.flattened.request_parameters.dryRun: false | |||
There was a problem hiding this comment.
The purpose of this was to ignore testing. ExportTableToPointInTime where successful if dryRun=True should signal testing but nothing was exported. May want to double check before you remove.
There was a problem hiding this comment.
@terrancedejesus Were you actually able to run that command with dryRun parameter? I don't see that it's supported for this API call and I couldn't actually run the call with DryRun, that's why I removed it here. Did you have a different experience? I was using Python to run this script and tried adding that parameter but got "Unknown Parameter" error.
terrancedejesus
approved these changes
Jul 14, 2025
imays11
commented
Jul 15, 2025
rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml
Outdated
Show resolved
Hide resolved
rules/integrations/aws/impact_s3_excessive_object_encryption_with_sse_c.toml
Outdated
Show resolved
Hide resolved
rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml
Outdated
Show resolved
Hide resolved
rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml
Outdated
Show resolved
Hide resolved
rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml
Outdated
Show resolved
Hide resolved
rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml
Outdated
Show resolved
Hide resolved
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull Request
Issue link(s):
Summary - What I changed
This PR is in part a response to the following issues: elastic/integrations#13500 elastic/integrations#14236 regarding the future of flattened fields in AWS, which we use as an essential part of our ruleset. However, this is also in response to the ongoing ruleset audit. Some of the flattened fields used in queries are not truly necessary for the alert to trigger or can be replaced by a different field. Those changes have been made here and our non_ecs file has been edited to remove the unnecessary fields. Additionally, flattened fields have been removed from highlighted fields, and from investigation guides. The fields that remain in non_ecs file are necessary for rules and there are no existing alternatives for this data.
Note about "Insecure AWS EC2 VPC Security Group Ingress Rule Added"
flattened.request_parameterfield was not properly mapped in the rule. It's been updated in the rule and in the ecs_file. Below is the screenshot of working query.Note about "AWS EC2 Security Group Configuration Change"
AuthorizeSecurityGroupIngress.ModifyInstanceAttributeis an API call that allows for modifying various aspects of an EC2 instance, left this broad it was capturing behaviors that are not associated with security group modification. aflattened.request_parametersfield was added to distinguish this behavior and was also added to ecs_file. There is no alternative data source for this information. Below is a screenshot of the new working queryHow To Test
Each of these rules has an accompanying script here that can be used to trigger the rule for testing. Each rule has been tested to ensure it's triggering as expected.