[Rule Tunings] Change from to prevent double alerts (elastic#3868)

shashank-elastic · Jul 11, 2024 · 44658ea · 44658ea
1 parent f0ab897
commit 44658ea
Show file tree

Hide file tree

Showing 7 changed files with 14 additions and 14 deletions.
diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml b/rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/06/25"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2024/06/25"
+updated_date = "2024/07/06"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ false_positives = [
     DB snapshot sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action.
     """,
 ]
-from = "now-10m"
+from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 language = "eql"
 license = "Elastic License v2"

diff --git a/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml b/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2024/05/01"
 maturity = "production"
-updated_date = "2024/05/01"
+updated_date = "2024/07/06"
 min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully"
 min_stack_version = "8.13.0"
 
@@ -13,7 +13,7 @@ timeframe. This activity can be indicative of attempting to cause an increase in
 random operations, cause resource exhaustion, or enumerating bucket names for discovery.
 """
 false_positives = ["Known or internal account IDs or automation"]
-from = "now-10m"
+from = "now-6m"
 language = "esql"
 license = "Elastic License v2"
 name = "AWS S3 Bucket Enumeration or Brute Force"

diff --git a/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/06/28"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2024/06/28"
+updated_date = "2024/07/06"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ false_positives = [
     The deletionProtection feature must be disabled as a prerequisite for deletion of a DB instance or cluster. Ensure that the instance should not be modified in this way before taking action.
     """,
 ]
-from = "now-10m"
+from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 language = "eql"
 license = "Elastic License v2"

diff --git a/rules/integrations/aws/impact_rds_snapshot_deleted.toml b/rules/integrations/aws/impact_rds_snapshot_deleted.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/06/29"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2024/06/29"
+updated_date = "2024/07/06"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ false_positives = [
     Snapshots may be deleted by a system administrator. Verify whether the user identity should be making changes in your environment. Snapshot deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
     """,
 ]
-from = "now-10m"
+from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 language = "eql"
 license = "Elastic License v2"

diff --git a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/06/13"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2024/06/22"
+updated_date = "2024/07/06"
 min_stack_comments = "ES|QL rule type in technical preview as of 8.13"
 min_stack_version = "8.13.0"
 
@@ -19,7 +19,7 @@ false_positives = [
     Verify whether the user identity should be using the IAM `CreateAccessKey` for the targeted user. 
     """,
 ]
-from = "now-10m"
+from = "now-6m"
 language = "esql"
 license = "Elastic License v2"
 name = "AWS IAM User Created Access Keys For Another User"

diff --git a/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml b/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/06/27"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2024/06/27"
+updated_date = "2024/07/06"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ false_positives = [
     Master password change is a legitimate means to regain access to a DB instance in the case of a lost password. Ensure that the instance should not be modified in this way before taking action.
     """,
 ]
-from = "now-10m"
+from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 language = "eql"
 license = "Elastic License v2"

diff --git a/rules/integrations/aws/persistence_rds_instance_made_public.toml b/rules/integrations/aws/persistence_rds_instance_made_public.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/06/29"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2024/06/29"
+updated_date = "2024/07/06"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ false_positives = [
     Public access is a common configuration used to enable access from outside a private VPC. Ensure that the instance should not be modified in this way before taking action.
     """,
 ]
-from = "now-10m"
+from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 language = "eql"
 license = "Elastic License v2"