-
Notifications
You must be signed in to change notification settings - Fork 28
/
Copy pathaws-application-insights.rules
68 lines (66 loc) · 15.4 KB
/
aws-application-insights.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# Sagan aws-application-insights.rules
# Copyright (c) 2009-2023. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
# rules by "Bryant Smith" <[email protected]>
# 04/12/2023
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (DeleteAlarms) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|DeleteAlarms"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011722; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (DeleteAnomalyDetector) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|DeleteAnomalyDetector"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011723; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (DeleteDashboards) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|DeleteDashboards"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011724; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (DeleteInsightRules) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|DeleteInsightRules"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011725; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (DeleteMetricStream) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|DeleteMetricStream"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011726; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (DescribeAlarmHistory) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|DescribeAlarmHistory"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011727; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (DescribeAlarms) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|DescribeAlarms"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011728; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (DescribeAlarmsForMetric) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|DescribeAlarmsForMetric"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011729; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (DescribeAnomalyDetectors) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|DescribeAnomalyDetectors"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011730; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (DescribeInsightRules) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|DescribeInsightRules"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011731; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (DisableAlarmActions) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|DisableAlarmActions"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011732; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (DisableInsightRules) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|DisableInsightRules"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011733; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (EnableAlarmActions) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|EnableAlarmActions"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011734; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (EnableInsightRules) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|EnableInsightRules"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011735; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (GetDashboard) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|GetDashboard"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011736; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (GetInsightRuleReport) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|GetInsightRuleReport"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011737; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (GetMetricData) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|GetMetricData"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011738; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (GetMetricStatistics) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|GetMetricStatistics"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011739; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (GetMetricStream) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|GetMetricStream"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011740; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (GetMetricWidgetImage) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|GetMetricWidgetImage"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011741; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (ListDashboards) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|ListDashboards"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011742; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (ListManagedInsightRules) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|ListManagedInsightRules"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011743; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (ListMetrics) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|ListMetrics"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011744; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (ListMetricStreams) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|ListMetricStreams"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011745; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (ListTagsForResource) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|ListTagsForResource"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011746; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (PutAnomalyDetector) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|PutAnomalyDetector"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011747; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (PutCompositeAlarm) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|PutCompositeAlarm"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011748; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (PutDashboard) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|PutDashboard"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011749; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (PutInsightRule) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|PutInsightRule"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011750; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (PutManagedInsightRules) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|PutManagedInsightRules"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011751; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (PutMetricAlarm) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|PutMetricAlarm"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011752; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (PutMetricData) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|PutMetricData"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011753; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (PutMetricStream) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|PutMetricStream"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011754; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (SetAlarmState) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|SetAlarmState"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011755; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (StartMetricStreams) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|StartMetricStreams"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011756; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (StopMetricStreams) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|StopMetricStreams"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011757; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (TagResource) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|TagResource"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011758; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[APPLICATION-INSIGHTS] CloudWatch Application Insights event detected (UntagResource) "; program:application-insights.amazonaws.com; content:"eventName|22 3a 20 22|UntagResource"; classtype:system-event; reference:url,docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/Welcome.html; sid:5011759; rev:1;)