From 8816cb3345bc154567cbe19f0c4965fc06716127 Mon Sep 17 00:00:00 2001
From: Austin Songer <austin@songer.pro>
Date: Sat, 24 Jul 2021 09:23:25 -0500
Subject: [PATCH 1/3] Create
 aws_elasticache_security_group_modified_or_deleted.yml

---
 ...che_security_group_modified_or_deleted.yml | 32 +++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml

diff --git a/rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml b/rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml
new file mode 100644
index 000000000..80f9578b9
--- /dev/null
+++ b/rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml
@@ -0,0 +1,32 @@
+title: AWS ElastiCache Security Group Modified or Deleted
+id: 7c797da2-9cf2-4523-ba64-33b06339f0cc
+description: Identifies when an ElastiCache security group has been modified or deleted.
+author: Austin Songer
+status: experimental
+date: 2021/07/24
+references:
+    - https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml
+logsource:
+    service: cloudtrail
+detection:
+    selection_source:
+        - eventSource: elasticache.amazonaws.com
+    selection_eventname1:
+        - eventName: "Delete Cache Security Group"
+    selection_eventname2:
+        - eventName: "Authorize Cache Security Group Ingress"
+    selection_eventname3:
+        - eventName:  "Revoke Cache Security Group Ingress"
+    selection_eventname4:
+        - eventName:  "AuthorizeCacheSecurityGroupEgress"
+    selection_eventname5: 
+        - eventName:  "RevokeCacheSecurityGroupEgress"
+    condition: selection_source and selection_eventname1 or selection_eventname2 or selection_eventname3 or selection_eventname4 or selection_eventname5
+level: low
+tags:
+    - attack.impact
+    - attack.t1531
+falsepositives:
+- A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+

From 55a2af475be01eaf039306bb9bdf4489a271eaae Mon Sep 17 00:00:00 2001
From: Austin Songer <austin@songer.pro>
Date: Sat, 24 Jul 2021 09:35:05 -0500
Subject: [PATCH 2/3] Update
 aws_elasticache_security_group_modified_or_deleted.yml

---
 .../aws_elasticache_security_group_modified_or_deleted.yml  | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml b/rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml
index 80f9578b9..eab2a71ab 100644
--- a/rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml
+++ b/rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml
@@ -16,11 +16,11 @@ detection:
     selection_eventname2:
         - eventName: "Authorize Cache Security Group Ingress"
     selection_eventname3:
-        - eventName:  "Revoke Cache Security Group Ingress"
+        - eventName: "Revoke Cache Security Group Ingress"
     selection_eventname4:
-        - eventName:  "AuthorizeCacheSecurityGroupEgress"
+        - eventName: "AuthorizeCacheSecurityGroupEgress"
     selection_eventname5: 
-        - eventName:  "RevokeCacheSecurityGroupEgress"
+        - eventName: "RevokeCacheSecurityGroupEgress"
     condition: selection_source and selection_eventname1 or selection_eventname2 or selection_eventname3 or selection_eventname4 or selection_eventname5
 level: low
 tags:

From 5818a0debe99f8c3f7fe1f2ab54e326dc3c5d4f2 Mon Sep 17 00:00:00 2001
From: Austin Songer <austin@songer.pro>
Date: Tue, 27 Jul 2021 17:14:28 -0500
Subject: [PATCH 3/3] Update
 aws_elasticache_security_group_modified_or_deleted.yml

---
 ...che_security_group_modified_or_deleted.yml | 22 ++++++++-----------
 1 file changed, 9 insertions(+), 13 deletions(-)

diff --git a/rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml b/rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml
index eab2a71ab..26e325271 100644
--- a/rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml
+++ b/rules/cloud/aws_elasticache_security_group_modified_or_deleted.yml
@@ -9,19 +9,15 @@ references:
 logsource:
     service: cloudtrail
 detection:
-    selection_source:
-        - eventSource: elasticache.amazonaws.com
-    selection_eventname1:
-        - eventName: "Delete Cache Security Group"
-    selection_eventname2:
-        - eventName: "Authorize Cache Security Group Ingress"
-    selection_eventname3:
-        - eventName: "Revoke Cache Security Group Ingress"
-    selection_eventname4:
-        - eventName: "AuthorizeCacheSecurityGroupEgress"
-    selection_eventname5: 
-        - eventName: "RevokeCacheSecurityGroupEgress"
-    condition: selection_source and selection_eventname1 or selection_eventname2 or selection_eventname3 or selection_eventname4 or selection_eventname5
+    selection:
+        eventSource: elasticache.amazonaws.com
+        eventName: 
+            - "Delete Cache Security Group"
+            - "Authorize Cache Security Group Ingress"
+            - "Revoke Cache Security Group Ingress"
+            - "AuthorizeCacheSecurityGroupEgress"
+            - "RevokeCacheSecurityGroupEgress"
+    condition: selection
 level: low
 tags:
     - attack.impact