Skip to content

[Rule Tuning] AWS S3 Static Site Javascript File Uploaded #5264

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Nov 7, 2025
+26 −8
Merged

[Rule Tuning] AWS S3 Static Site Javascript File Uploaded #5264

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0c8a1fc
[Rule Tuning] AWS S3 Static Site Javascript File Uploaded
imays11 Oct 29, 2025
c5d95c9
Merge branch 'main' into tune_aws_s3_js_upload
imays11 Nov 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 26 additions & 8 deletions rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,12 @@
creation_date = "2025/04/15"
integration = ["aws"]
maturity = "production"
updated_date = "2025/09/25"
updated_date = "2025/10/28"

[rule]
author = ["Elastic"]
description = """
This rule detects when a JavaScript file is uploaded or accessed in an S3 static site directory (`static/js/`) by an IAM
This rule detects when a JavaScript file is uploaded in an S3 static site directory (`static/js/`) by an IAM
user or assumed role. This can indicate suspicious modification of web content hosted on S3, such as injecting malicious
scripts into a static website frontend.
"""
Expand All @@ -17,7 +17,7 @@ false_positives = [
Verify the user agent, source IP, and whether the modification was expected.
""",
]
from = "now-9m"
from = "now-6m"
language = "esql"
license = "Elastic License v2"
name = "AWS S3 Static Site JavaScript File Uploaded"
Expand Down Expand Up @@ -73,10 +73,11 @@ query = '''
from logs-aws.cloudtrail* metadata _id, _version, _index

| where
// S3 object read/write activity
// S3 object write activity
event.dataset == "aws.cloudtrail"
and event.provider == "s3.amazonaws.com"
and event.action in ("GetObject", "PutObject")
and event.action == "PutObject"
and event.outcome == "success"

// IAM users or assumed roles only
and aws.cloudtrail.user_identity.type in ("IAMUser", "AssumedRole")
Expand All @@ -88,7 +89,7 @@ from logs-aws.cloudtrail* metadata _id, _version, _index
and not (
user_agent.original like "*Terraform*"
or user_agent.original like "*Ansible*"
or user_agent.original like "*Pulumni*"
or user_agent.original like "*Pulumi*"
)

// Extract fields from request parameters
Expand Down Expand Up @@ -127,10 +128,27 @@ id = "T1565.001"
name = "Stored Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/001/"



[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"

[rule.investigation_fields]
field_names = [
"@timestamp",
"user.name",
"user_agent.original",
"source.ip",
"aws.cloudtrail.user_identity.arn",
"aws.cloudtrail.user_identity.type",
"aws.cloudtrail.user_identity.access_key_id",
"aws.cloudtrail.resources.arn",
"aws.cloudtrail.resources.type",
"event.action",
"event.outcome",
"cloud.account.id",
"cloud.region",
"aws.cloudtrail.request_parameters",
"aws.cloudtrail.response_elements"
]

Loading