diff --git a/Detections/AWSCloudTrail/fileForFailTest.yaml b/Detections/AWSCloudTrail/fileForFailTest.yaml deleted file mode 100644 index fcdb8a577c..0000000000 --- a/Detections/AWSCloudTrail/fileForFailTest.yaml +++ /dev/null @@ -1,36 +0,0 @@ -id: 8c2ef238-67a0-497d-b1dd-5c8a0f533e25 -name: Changes to internet facing AWS RDS Database instances -description: | - 'Amazon Relational Database Service (RDS) is scalable relational database in the cloud. - If your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) - Once alerts triggered, validate if changes observed are authorized and adhere to change control policy. - More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 - and RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html' -severity: Low -requiredDataConnectors: - - connectorId: AWS - dataTypes: - - AWSCloudTrail -queryFrequency: 1d -queryPeriod: 1d -triggerOperator: gt -triggerThreshold: 0 -tactics: - - Persistence -relevantTechniques: - - T1098 -query: | - let EventNameList = dynamic(["AuthorizeDBSecurityGroupIngress","CreateDBSecurityGroup","DeleteDBSecurityGroup","RevokeDBSecurityGroupIngress"]); - AWSCloudTrail - | where EventName in~ (EventNameList) - | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements - | extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress -entityMappings: - - entityType: Account - fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity - - entityType: IP - fieldMappings: - - identifier: Address - columnName: IPCustomEntity