From 4ba7f3346caea36557749e27237ddcd0f57039e0 Mon Sep 17 00:00:00 2001
From: Ariel Ropek <ariel.ropek@panther.com>
Date: Mon, 26 Aug 2024 13:27:45 -0600
Subject: [PATCH] Convert to Signals

---
 rules/aws_cloudtrail_rules/aws_cloudtrail_account_discovery.yml | 1 +
 rules/aws_cloudtrail_rules/aws_unauthorized_api_call.yml        | 1 +
 rules/aws_eks_rules/system_namespace_public_ip.yml              | 1 +
 3 files changed, 3 insertions(+)

diff --git a/rules/aws_cloudtrail_rules/aws_cloudtrail_account_discovery.yml b/rules/aws_cloudtrail_rules/aws_cloudtrail_account_discovery.yml
index e07eb2e37..307ed2d85 100644
--- a/rules/aws_cloudtrail_rules/aws_cloudtrail_account_discovery.yml
+++ b/rules/aws_cloudtrail_rules/aws_cloudtrail_account_discovery.yml
@@ -8,6 +8,7 @@ Reports:
   MITRE ATT&CK:
     - TA0007:T1087
 Severity: Info
+CreateAlert: false
 Tests:
   - ExpectedResult: true
     Log:
diff --git a/rules/aws_cloudtrail_rules/aws_unauthorized_api_call.yml b/rules/aws_cloudtrail_rules/aws_unauthorized_api_call.yml
index c15c24275..148f40afa 100644
--- a/rules/aws_cloudtrail_rules/aws_unauthorized_api_call.yml
+++ b/rules/aws_cloudtrail_rules/aws_unauthorized_api_call.yml
@@ -15,6 +15,7 @@ Reports:
   MITRE ATT&CK:
     - TA0007:T1526
 Severity: Info
+CreateAlert: false
 Description: An unauthorized AWS API call was made
 Runbook: https://docs.runpanther.io/alert-runbooks/built-in-rules/aws-unauthorized-api-call
 Reference: https://amzn.to/3aOukaA
diff --git a/rules/aws_eks_rules/system_namespace_public_ip.yml b/rules/aws_eks_rules/system_namespace_public_ip.yml
index 75c0b9335..48bba3dc9 100644
--- a/rules/aws_eks_rules/system_namespace_public_ip.yml
+++ b/rules/aws_eks_rules/system_namespace_public_ip.yml
@@ -12,6 +12,7 @@ Reports:
     - "TA0027:T1475" # Tactic ID:Technique ID (https://attack.mitre.org/tactics/enterprise/)
 Reference: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html
 Severity: Info
+CreateAlert: false
 Description: >
   This detection identifies if an activity is recorded in the Kubernetes audit log where
   the user:username attribute begins with "system:" or "eks:" and the requests originating