Skip to content

[Rule Tunings] AWS Multiple API Calls ESQL rules #5238

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Rule Tunings] AWS Multiple API Calls ESQL rules #5238

wants to merge 1 commit into from
+398 −290

Conversation

@imays11
Copy link
Contributor

@imays11 imays11 commented Oct 21, 2025

Pull Request

Issue link(s):

Summary - What I changed

AWS EC2 Multi-Region DescribeInstances API Calls
Over 2,000 alerts in the last 24 hours. This is a very noisy rule, by design it is alerting on quite normal behavior. There is not much in-the-wild threat behavior that justifies keeping this rule as a standalone alert. As a threat indicator, this is best used as a hunting rule or in correlation with another rule, for example: (GetCallerIdentity new terms + multi region DescribeInstances by same principal) or (Multiple Discovery API calls + multi region DescribeInstances by same principal) or (multi region DescribeInstances + snapshot/AMI activity by same principal). However, on its own it’s not adding much value over the noise.

  • I’m keeping this as ESQL rule but converting it to a BBR
  • keeping more fields for further context
  • Changing investigation guide to be more relevant for hunting/correlation rule

AWS Discovery API Calls via CLI from a Single Resource
This rule is alerting as expected with low telemetry. It has to remain an ESQL rule as no other rule types can truncate the time window to 10 sec looking for a threshold of unique API calls coming from a single user.

  • Keeping as ESQL rule
  • Reduced execution window
  • Keeping more fields for further context
  • Adding highlighted fields
  • Updated Investigation guide
  • Changed the toml file name to be more accurate as this rule does not only look at ec2 service discovery

How To Test

Plenty of data in our test stack to run queries against. Script for the AWS Discovery API Calls rule. It is very extensive in the API calls it makes, I wanted this script to be a bit more realistic and trigger across many different services.

Screenshots for AWS Discovery API Calls via CLI from a Single Resource

Expected Alert with very little context

Screenshot 2025-10-21 at 11 51 06 AM

New Working Query with additional context

Screenshot 2025-10-21 at 11 31 53 AM

New Expected Alert with additional context

Screenshot 2025-10-21 at 12 23 17 PM

@imays11
[Rule Tunings] AWS Multiple API Calls rules
e492f5a 
AWS EC2 Multi-Region DescribeInstances API Calls
Over 2,000 alerts in the last 24 hours. This is a very noisy rule, by design it is alerting on quite normal behavior. There is not much in-the-wild threat behavior that justifies keeping this rule as a standalone alert. As a threat indicator, this is best used as a hunting rule or in correlation with another rule, for example: (GetCallerIdentity new terms + multi region DescribeInstances by same principal)  or (Multiple Discovery API calls + multi region DescribeInstances by same principal) or (multi region DescribeInstances + snapshot/AMI activity by same principal). However, on its own it’s not adding much value over the noise.
- I’m keeping this as ESQL rule but converting it to a BBR
- keeping more fields for further context
- Changing investigation guide to be more relevant for hunting/correlation rule

AWS Discovery API Calls via CLI from a Single Resource
This rule is alerting as expected with low telemetry. It has to remain an ESQL rule as no other rule types can truncate the time window to 10 sec looking for a threshold of unique API calls coming from a single user.
- Keeping as ESQL rule
- Reduced execution window
- Keeping more fields for further context
- Adding highlighted fields
- Updated Investigation guide
@imays11 imays11 self-assigned this Oct 21, 2025
@imays11 imays11 added Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE Domain: Cloud labels Oct 21, 2025
@botelastic botelastic bot added the bbr Building Block Rules label Oct 21, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Oct 21, 2025
edited by terrancedejesus
Loading

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

  • Detailed description of the suggested changes.
  • Provide example JSON data or screenshots.
  • Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
  • Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
  • Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
  • Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
  • Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
  • Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
  • Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
  • Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
  • Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
  • Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

  • updated_date matches the date of tuning PR merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

  • Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
  • Ensure that the tuned rule has a low false positive rate.

@imays11 imays11 changed the title [Rule Tunings] AWS Multiple API Calls rules [Rule Tunings] AWS Multiple API Calls ESQL rules Oct 21, 2025
terrancedejesus
terrancedejesus approved these changes Oct 22, 2025
View reviewed changes
rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: AWS EC2",
Copy link
Contributor

@terrancedejesus terrancedejesus Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we add Cloudtrail as a data source to be consistent?

Copy link
Contributor Author

@imays11 imays11 Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mmm yea I should do that with all the AWS rules, it's something I'll look at doing later.

rules_building_block/discovery_ec2_multi_region_describe_instances.toml

[rule.investigation_fields]
field_names = [
"aws.cloudtrail.user_identity.arn",
Copy link
Contributor

@terrancedejesus terrancedejesus Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May want to double check these. We do a keep and then stats which will table only by what we aggregate on so the alert doc may not have some of the original AWS fields.

Copy link
Contributor Author

@imays11 imays11 Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oop nice catch I need to go back in and add these fields to the stats with VALUES()

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@terrancedejesus terrancedejesus terrancedejesus approved these changes

@Mikaayenson Mikaayenson Awaiting requested review from Mikaayenson

@Aegrah Aegrah Awaiting requested review from Aegrah

@shashank-elastic shashank-elastic Awaiting requested review from shashank-elastic

At least 2 approving reviews are required to merge this pull request.

Assignees

@imays11 imays11

Labels

backport: auto bbr Building Block Rules Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@imays11 @terrancedejesus