forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpersistence_ec2_security_group_configuration_change_detection.toml
76 lines (66 loc) · 2.43 KB
/
persistence_ec2_security_group_configuration_change_detection.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
[metadata]
creation_date = "2021/05/05"
integration = ["aws"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
author = ["Elastic", "Austin Songer"]
description = """
Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying
configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or
pivot in an AWS environment.
"""
false_positives = [
"""
A security group may be created by a system or network administrator. Verify whether the user identity, user agent,
and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts
should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-30m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS Security Group Configuration Change Detection"
note = """## Setup
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = ["https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html"]
risk_score = 21
rule_id = "29052c19-ff3e-42fd-8363-7be14d7c5469"
severity = "low"
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS EC2",
"Use Case: Network Security Monitoring",
"Tactic: Persistence",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or
CreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or
RevokeSecurityGroupIngress) and event.outcome:success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.007"
name = "Disable or Modify Cloud Firewall"
reference = "https://attack.mitre.org/techniques/T1562/007/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"