[Deprecation] AWS EC2 Snapshot Activity #3906
Labels
backlog
Domain: Cloud
Integration: AWS
AWS related rules
Rule: Deprecation
removal of a rule
Team: TRADE
Link to Rule
https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml
Description
This rule is very broad, capturing any time an EC2 instance snapshot's permission settings are modified via the ModifySnapshotAtrribute API.
This could be used to:
add: <external.account.id>
add : all
remove: <external.account.id>
PROBLEM:
The problem is that this rule is too generic and so captures all 3 of these very different activities. Additionally, this new rule : AWS EC2 EBS Snapshot Shared with Another Account @terrancedejesus captures the first use case listed above which means duplicate alerts for the same behavior as shown below.
SUGGESTION:
The text was updated successfully, but these errors were encountered: