[New Rule] AWS Route Table Modified or Deleted (#1258)

* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create persistence_route_table_modified_or_deleted.toml

* Update persistence_route_table_modified_or_deleted.toml

* Update persistence_route_table_modified_or_deleted.toml

* Update

* Update .gitignore

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update persistence_route_table_modified_or_deleted.toml

* Update persistence_route_table_modified_or_deleted.toml

* Update persistence_route_table_modified_or_deleted.toml

* remove space from query

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 82e72a956b)

rules/integrations/aws/persistence_route_table_modified_or_deleted.toml

@@ -0,0 +1,54 @@
+[metadata]
+creation_date = "2021/06/05"
+maturity = "production"
+updated_date = "2021/10/05"
+integration = "aws"
+
+[rule]
+author = ["Elastic", "Austin Songer"]
+description = "Identifies when an AWS Route Table has been modified or deleted."
+false_positives = [
+    """
+    Route Table could be modified or deleted by a system administrator. Verify whether the user identity, 
+    user agent, and/or hostname should be making changes in your environment. Route Table being modified
+    from unfamiliar users should be investigated. If known behavior is causing false positives, it can be 
+    exempted from the rule.  Also automated processes that uses Terraform may lead to false positives.
+    """,
+]
+from = "now-60m"
+index = ["filebeat-*", "logs-aws*"]
+interval = "10m"
+language = "kuery"
+license = "Elastic License v2"
+name = "AWS Route Table Modified or Deleted"
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = [
+    "https://github.com/easttimor/aws-incident-response#network-routing",
+    "https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-route-table-modified",
+    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html",
+    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation",
+    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html",
+    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html",
+    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html",
+]
+risk_score = 21
+rule_id = "e7cd5982-17c8-4959-874c-633acde7d426"
+severity = "low"
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or
+DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+reference = "https://attack.mitre.org/tactics/TA0003/"
+name = "Persistence"
+id = "TA0003"