Delete fileForFailTest.yaml

Detections/AWSCloudTrail/fileForFailTest.yaml

@@ -1,36 +0,0 @@
-id: 8c2ef238-67a0-497d-b1dd-5c8a0f533e25
-name: Changes to internet facing AWS RDS Database instances
-description: |
-  'Amazon Relational Database Service (RDS) is scalable relational database in the cloud. 
-  If your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) 
-  Once alerts triggered, validate if changes observed are authorized and adhere to change control policy. 
-  More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255
-  and RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html'
-severity: Low
-requiredDataConnectors:
-  - connectorId: AWS
-    dataTypes:
-      - AWSCloudTrail
-queryFrequency: 1d
-queryPeriod: 1d
-triggerOperator: gt
-triggerThreshold: 0
-tactics:
-  - Persistence
-relevantTechniques:
-  - T1098
-query: |
-  let EventNameList = dynamic(["AuthorizeDBSecurityGroupIngress","CreateDBSecurityGroup","DeleteDBSecurityGroup","RevokeDBSecurityGroupIngress"]);
-  AWSCloudTrail
-  | where EventName in~ (EventNameList)
-  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements
-  | extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress
-entityMappings:
-  - entityType: Account
-    fieldMappings:
-      - identifier: FullName
-        columnName: AccountCustomEntity
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: IPCustomEntity