From ed507b82f42f5f41c52ec90e2594ea25af4cb8fb Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 16 Aug 2021 09:58:48 -0500 Subject: [PATCH] Update and rename aws_eks_cluster_modified_or_deleted.yml to aws_eks_cluster_created_or_deleted.yml --- .../aws_eks_cluster_created_or_deleted.yml | 25 +++++++++++++++++++ .../aws_eks_cluster_modified_or_deleted.yml | 1 - 2 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml delete mode 100644 rules/cloud/aws/aws_eks_cluster_modified_or_deleted.yml diff --git a/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml new file mode 100644 index 000000000..1c07e6bb5 --- /dev/null +++ b/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml @@ -0,0 +1,25 @@ + +title: AWS EKS Cluster Created or Deleted +id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0 +description: Identifies when an EKS cluster is created or deleted. +author: Austin Songer +status: experimental +date: 2021/08/16 +references: + - https://any-api.com/amazonaws_com/eks/docs/API_Description +logsource: + service: cloudtrail +detection: + selection: + eventSource: eks.amazonaws.com + eventName: + - CreateCluster + - DeleteCluster + condition: selection +level: low +tags: + - attack. +falsepositives: + - EKS Cluster being created or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/rules/cloud/aws/aws_eks_cluster_modified_or_deleted.yml b/rules/cloud/aws/aws_eks_cluster_modified_or_deleted.yml deleted file mode 100644 index 8b1378917..000000000 --- a/rules/cloud/aws/aws_eks_cluster_modified_or_deleted.yml +++ /dev/null @@ -1 +0,0 @@ -