Skip to content

Commit

Permalink
[Rule Tuning] Fixing Incorrect ES|QL Operator Use - AWS Service Quota…
Browse files Browse the repository at this point in the history 
…s Multi-Region `GetServiceQuota` Request (#4118)

* fixing single equal operator

* Additional data source tag for consistency

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

(cherry picked from commit 45a3475)
  • Loading branch information
@terrancedejesus @github-actions
terrancedejesus authored and github-actions[bot] committed Oct 2, 2024
1 parent 580f554 commit 9e40bba
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2024/08/26"
maturity = "production"
updated_date = "2024/08/26"
updated_date = "2024/10/02"

[rule]
author = ["Elastic"]
Expand All @@ -25,6 +25,7 @@ severity = "low"
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS Service Quotas",
"Use Case: Threat Detection",
"Tactic: Discovery",
Expand All @@ -36,7 +37,7 @@ query = '''
from logs-aws.cloudtrail-*
// filter for GetServiceQuota API calls
| where event.dataset == "aws.cloudtrail" and event.provider = "servicequotas.amazonaws.com" and event.action == "GetServiceQuota"
| where event.dataset == "aws.cloudtrail" and event.provider == "servicequotas.amazonaws.com" and event.action == "GetServiceQuota"
// truncate the timestamp to a 30-second window
| eval target_time_window = DATE_TRUNC(30 seconds, @timestamp)
Expand Down

0 comments on commit 9e40bba

Please sign in to comment.