security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update AWS CloudTrail rules

Browse Source 
aws_elasticache_security_group_created.yml
aws_elasticache_security_group_modified_or_deleted.yml
Removed spaces from eventNames

aws_s3_data_management_tampering.yml
Fix typo in title, use s3 as eventSource

aws_snapshot_backup_exfiltration.yml
Use ec2 as eventSource
This commit is contained in:
Rachel Rice
2021-08-19 14:24:43 +01:00
parent 08324a5a56
commit 67020bb0ff
4 changed files with 11 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cloud/aws/aws_elasticache_security_group_created.yml
+2 -1
View File
@@ -4,6 +4,7 @@ description: Detects when an ElastiCache security group has been created.
author: Austin Songer
status: experimental
date: 2021/07/24
modified: 2021/08/19
references:
- https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml
logsource:
@@ -11,7 +12,7 @@ logsource:
detection:
selection:
eventSource: elasticache.amazonaws.com
eventName: "Create Cache Security Group"
eventName: "CreateCacheSecurityGroup"
condition: selection
level: low
tags:
rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml
+4 -3
View File
@@ -4,6 +4,7 @@ description: Identifies when an ElastiCache security group has been modified or
author: Austin Songer
status: experimental
date: 2021/07/24
modified: 2021/08/19
references:
- https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml
logsource:
@@ -12,9 +13,9 @@ detection:
selection:
eventSource: elasticache.amazonaws.com
eventName:
- "Delete Cache Security Group"
- "Authorize Cache Security Group Ingress"
- "Revoke Cache Security Group Ingress"
- "DeleteCacheSecurityGroup"
- "AuthorizeCacheSecurityGroupIngress"
- "RevokeCacheSecurityGroupIngress"
- "AuthorizeCacheSecurityGroupEgress"
- "RevokeCacheSecurityGroupEgress"
condition: selection
rules/cloud/aws/aws_s3_data_management_tampering.yml
+3 -2
View File
@@ -1,9 +1,10 @@
title: AWS S3 Data Management Tamperin
title: AWS S3 Data Management Tampering
id: 78b3756a-7804-4ef7-8555-7b9024a02e2d
description: Detects when a user tampers with S3 data management in Amazon Web Services.
author: Austin Songer
status: experimental
date: 2021/07/24
modified: 2021/08/19
references:
- https://github.com/elastic/detection-rules/pull/1145/files
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html
@@ -16,7 +17,7 @@ logsource:
service: cloudtrail
detection:
selection:
eventSource: iam.amazonaws.com
eventSource: s3.amazonaws.com
eventName:
- PutBucketLogging
- PutBucketWebsite
rules/cloud/aws/aws_snapshot_backup_exfiltration.yml
+2 -2
View File
@@ -4,7 +4,7 @@ status: test
description: Detects the modification of an EC2 snapshot's permissions to enable access from another account
author: Darin Smith
date: 2021/05/17
modified: 2021/08/09
modified: 2021/08/19
references:
- https://www.justice.gov/file/1080281/download
- https://attack.mitre.org/techniques/T1537/
@@ -12,7 +12,7 @@ logsource:
service: cloudtrail
detection:
selection_source:
eventSource: cloudtrail.amazonaws.com
eventSource: ec2.amazonaws.com
eventName: ModifySnapshotAttribute
condition: selection_source
falsepositives: