Skip to content

Commit

Permalink
Update Lookback Interval for AWS Rules
Browse files Browse the repository at this point in the history
  • Loading branch information
seth-goodwin authored and rw-access committed Jul 8, 2020
1 parent 316be47 commit c577426
Show file tree
Hide file tree
Showing 27 changed files with 53 additions and 53 deletions.
4 changes: 2 additions & 2 deletions rules/aws/collection_cloudtrail_logging_created.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/06/10"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/06/10"
updated_date = "2020/07/07"

[rule]
author = ["Elastic"]
Expand All @@ -14,7 +14,7 @@ false_positives = [
be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-20m"
from = "now-60m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
Expand Down
4 changes: 2 additions & 2 deletions rules/aws/credential_access_iam_user_addition_to_group.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/06/04"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/06/04"
updated_date = "2020/07/07"

[rule]
author = ["Elastic"]
Expand All @@ -15,7 +15,7 @@ false_positives = [
rule.
""",
]
from = "now-20m"
from = "now-60m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
Expand Down
4 changes: 2 additions & 2 deletions rules/aws/defense_evasion_cloudtrail_logging_deleted.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/05/26"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/26"
updated_date = "2020/07/07"

[rule]
author = ["Elastic"]
Expand All @@ -14,7 +14,7 @@ false_positives = [
be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-20m"
from = "now-60m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
Expand Down
4 changes: 2 additions & 2 deletions rules/aws/defense_evasion_cloudtrail_logging_suspended.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/06/10"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/06/10"
updated_date = "2020/07/07"

[rule]
author = ["Elastic"]
Expand All @@ -18,7 +18,7 @@ false_positives = [
from the rule.
""",
]
from = "now-20m"
from = "now-60m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
Expand Down
4 changes: 2 additions & 2 deletions rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/06/15"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/06/15"
updated_date = "2020/07/07"

[rule]
author = ["Elastic"]
Expand All @@ -14,7 +14,7 @@ false_positives = [
can be exempted from the rule.
""",
]
from = "now-20m"
from = "now-60m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
Expand Down
4 changes: 2 additions & 2 deletions rules/aws/defense_evasion_configuration_recorder_stopped.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/06/16"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/06/16"
updated_date = "2020/07/07"

[rule]
author = ["Elastic"]
Expand All @@ -14,7 +14,7 @@ false_positives = [
positives, it can be exempted from the rule.
""",
]
from = "now-20m"
from = "now-60m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
Expand Down
4 changes: 2 additions & 2 deletions rules/aws/defense_evasion_ec2_flow_log_deletion.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/06/15"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/06/15"
updated_date = "2020/07/07"

[rule]
author = ["Elastic"]
Expand All @@ -17,7 +17,7 @@ false_positives = [
can be exempted from the rule.
""",
]
from = "now-20m"
from = "now-60m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
Expand Down
4 changes: 2 additions & 2 deletions rules/aws/defense_evasion_ec2_network_acl_deletion.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/05/26"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/26"
updated_date = "2020/07/07"

[rule]
author = ["Elastic"]
Expand All @@ -17,7 +17,7 @@ false_positives = [
be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-20m"
from = "now-60m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
Expand Down
4 changes: 2 additions & 2 deletions rules/aws/defense_evasion_guardduty_detector_deletion.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/05/28"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/28"
updated_date = "2020/07/07"

[rule]
author = ["Elastic"]
Expand All @@ -17,7 +17,7 @@ false_positives = [
hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-20m"
from = "now-60m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/05/27"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/27"
updated_date = "2020/07/07"

[rule]
author = ["Elastic"]
Expand All @@ -14,7 +14,7 @@ false_positives = [
hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-20m"
from = "now-60m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
Expand Down
4 changes: 2 additions & 2 deletions rules/aws/defense_evasion_waf_acl_deletion.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/05/21"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/21"
updated_date = "2020/07/07"

[rule]
author = ["Elastic"]
Expand All @@ -14,7 +14,7 @@ false_positives = [
should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-20m"
from = "now-60m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
Expand Down
4 changes: 2 additions & 2 deletions rules/aws/exfiltration_ec2_snapshot_change_activity.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/06/24"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/06/24"
updated_date = "2020/07/07"

[rule]
author = ["Elastic"]
Expand All @@ -17,7 +17,7 @@ false_positives = [
behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-20m"
from = "now-60m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
Expand Down
4 changes: 2 additions & 2 deletions rules/aws/impact_cloudtrail_logging_updated.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/06/10"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/06/10"
updated_date = "2020/07/07"

[rule]
author = ["Elastic"]
Expand All @@ -14,7 +14,7 @@ false_positives = [
investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-20m"
from = "now-60m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
Expand Down
4 changes: 2 additions & 2 deletions rules/aws/impact_cloudwatch_log_group_deletion.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/05/18"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/18"
updated_date = "2020/07/07"

[rule]
author = ["Elastic"]
Expand All @@ -17,7 +17,7 @@ false_positives = [
it can be exempted from the rule.
""",
]
from = "now-20m"
from = "now-60m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
Expand Down
4 changes: 2 additions & 2 deletions rules/aws/impact_cloudwatch_log_stream_deletion.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/05/20"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/20"
updated_date = "2020/07/07"

[rule]
author = ["Elastic"]
Expand All @@ -17,7 +17,7 @@ false_positives = [
investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-20m"
from = "now-60m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
Expand Down
4 changes: 2 additions & 2 deletions rules/aws/impact_ec2_disable_ebs_encryption.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/06/05"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/06/05"
updated_date = "2020/07/07"

[rule]
author = ["Elastic"]
Expand All @@ -17,7 +17,7 @@ false_positives = [
should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-20m"
from = "now-60m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
Expand Down
4 changes: 2 additions & 2 deletions rules/aws/impact_iam_deactivate_mfa_device.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/05/26"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/26"
updated_date = "2020/07/07"

[rule]
author = ["Elastic"]
Expand All @@ -18,7 +18,7 @@ false_positives = [
hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-20m"
from = "now-60m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
Expand Down
4 changes: 2 additions & 2 deletions rules/aws/impact_iam_group_deletion.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/05/21"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/21"
updated_date = "2020/07/07"

[rule]
author = ["Elastic"]
Expand All @@ -17,7 +17,7 @@ false_positives = [
should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-20m"
from = "now-60m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
Expand Down
4 changes: 2 additions & 2 deletions rules/aws/impact_rds_cluster_deletion.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/05/21"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/21"
updated_date = "2020/07/07"

[rule]
author = ["Elastic"]
Expand All @@ -17,7 +17,7 @@ false_positives = [
investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-20m"
from = "now-60m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
Expand Down
4 changes: 2 additions & 2 deletions rules/aws/impact_rds_instance_cluster_stoppage.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/05/20"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/20"
updated_date = "2020/07/07"

[rule]
author = ["Elastic"]
Expand All @@ -14,7 +14,7 @@ false_positives = [
hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-20m"
from = "now-60m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
Expand Down
4 changes: 2 additions & 2 deletions rules/aws/initial_access_console_login_root.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/06/11"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/06/11"
updated_date = "2020/07/07"

[rule]
author = ["Elastic"]
Expand All @@ -15,7 +15,7 @@ false_positives = [
exempted from the rule.
""",
]
from = "now-20m"
from = "now-60m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
Expand Down
4 changes: 2 additions & 2 deletions rules/aws/initial_access_password_recovery.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/07/02"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/02"
updated_date = "2020/07/07"

[rule]
author = ["Elastic"]
Expand All @@ -17,7 +17,7 @@ false_positives = [
it can be exempted from the rule.
""",
]
from = "now-20m"
from = "now-60m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
Expand Down
Loading

0 comments on commit c577426

Please sign in to comment.