From 6334446ee524c4674f51a876f6b7d3b7e8e9e096 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Tue, 4 Nov 2025 11:56:15 -0500 Subject: [PATCH] [Rule Tuning] AWS IAM CompromisedKeyQuarantine Policy Attached to User This rule is working as expected, only instances of this alert in telemetry is for testing environments. - uses `iam` instead of `any` for eql query - added highlighted fields --- ...keyquarantine_policy_attached_to_user.toml | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml b/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml index a15d92086ad..39c54e4f149 100644 --- a/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml +++ b/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/20" integration = ["aws"] maturity = "production" -updated_date = "2025/01/10" +updated_date = "2025/11/04" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.dataset == "aws.cloudtrail" +iam where event.dataset == "aws.cloudtrail" and event.action == "AttachUserPolicy" and event.outcome == "success" and stringContains(aws.cloudtrail.request_parameters, "AWSCompromisedKeyQuarantine") @@ -89,3 +89,18 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters" +]