Support for monitoring VPC Flow Logs, S3 Access Logs, and AWS Config?

[samuelebstein]

Hello everyone,

I’m exploring alternatives to AWS GuardDuty due to its cost and am considering using Sigma rules instead. I’ve noticed that the rules in the cloud/aws directory focus on CloudTrail logs.

Are there existing Sigma rules I missed or didn't find for monitoring VPC Flow Logs, S3 Access Logs, and AWS Config? More specifically, I’m curious if there are any rules that help address the following:

1.	VPC Flow Logs:
•	Port Scanning: Enable VPC Flow Logs to capture IP traffic information and analyze these logs for port scanning activities.
•	Compromised Instances: Monitor outbound traffic from instances and set alarms for unusual traffic patterns and communication with known malicious IPs.
•	Unexpected Traffic: Analyze VPC Flow Logs for unexpected network traffic patterns.
•	Suspicious DNS Requests: Monitor DNS request patterns and create alarms for requests to known malicious domains.
•	Malware Communication: Monitor for communication with known malware servers and set alarms based on threat intelligence feeds.
2.	S3 Access Logs:
•	Suspicious Data Access: Enable server access logging on S3 buckets.
•	Unusual Data Transfers: Monitor for large or unusual data transfers.
•	Ransomware: Monitor for unusual patterns of S3 object deletions or modifications.
3.	AWS Config:
•	Public Access to Resources: Use AWS Config rules to detect publicly accessible resources.

Thank you!

[nasbench]

Hi and thanks for opening this discussion.

Unfortunately the rules you found in the AWS folder are currently the only ones for AWS.

As with all rules in this repo, they were contributed by the community. So apart the case where someone contributes rules for similar cases you mentioned there will be no additional rules regarding that for the moment.