Rule tuning: AWS Attached Malicious Lambda Layer should be informational/low and renamed
#5235
Assignees
Labels
False-Positive
Issue reporting a false positive with one of the rules
Comments
nickatrecon
added
the
False-Positive
|
Welcome @nickatrecon 👋 It looks like this is your first issue on the Sigma rules repository! The following repository accepts issues related to If you're reporting an issue related to the pySigma library please consider submitting it here If you're reporting an issue related to the deprecated sigmac library please consider submitting it here Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃 |
nickatrecon
changed the title
AWS Attached Malicious Lambda Layer should be informational and renamedAWS Attached Malicious Lambda Layer should be informational/low and renamed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Rule UUID
97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d
Example EventLog
N/A
Description
The rule alerts on calls to UpdateFunctionConfiguration, which does not imply maliciousness as the title suggests. This happens every time an authenticated user creates a new Lambda layer, which is a relatively common occurrence for developers in AWS. The rule lists this scenario as a false positive, but it is the significantly more common scenario than the perceived threat and results in significant noise during development. This rule should be named
AWS New Lambda Layer Attachedand the level be set toinformationalorlow.Based on my research this threat is limited to a proof of concept. This could be added as a reference.
The text was updated successfully, but these errors were encountered: