wazuh-ruleset icon indicating copy to clipboard operation
wazuh-ruleset copied to clipboard

Published 20 hours ago verified publisher icon wazuh

Update CDB List for AWS event sources

Open RamiusKahn opened this issue 6 years ago • 1 comments

Updated list as of June 29, 2018

RamiusKahn avatar Jul 10 '18 18:07 RamiusKahn

What is the value/purpose of expanding the CDB list to all possible event sources?

The only rule this will feed more events to is 80251 (DeleteObjects), which I'm not sure will provide much value.

I could see the value in modifying 80250 (event has errorCode) to be dependent upon 80201 instead of 80202, or creating a new rule, such that an alert would be generated for any CloudTrail event with an errorCode...

UranusBytes avatar Jul 30 '18 12:07 UranusBytes