LoFP
/
rules_building_block
rules_building_block rule
Title
Tags
administrators may use ec2 instances to interact with iam services as part of an automation workflow, ensure validity of the triggered event and include exceptions where necessary.
t1078
t1098
rules_building_block
elastic
if the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. validate that this is expected activity and tune the rule to fit your environment variables.
t1016
t1614
rules_building_block
elastic
legitimate changes to lambda functions can trigger this signal. ensure that the changes are authorized and align with your organization's policies.
T1648
rules_building_block
elastic
legitimate manual or automated snapshots created for backups can trigger this rule. ensure that the snapshots are authorized and align with your organization's policies.
t1578
rules_building_block
elastic
security tools and device drivers may run these programs in order to enumerate kernel modules. use of these programs by ordinary users is uncommon. these can be exempted by process name or username.
t1082
linux
rules_building_block
elastic
LoFP
/
rules_building_block