[Rule Tuning] Tuning AWS Rules for SAML Provider Updates and Assumed Roles via STS (#3898)

* tuning AWS rules for SAML provider updates and assumed roles via STS

* fixed mitre mapping

* adjusted new terms and added user ID to query

* reverting new terms value change

* adding non-ecs to new term checks

* fixing mitre mapping

* Update rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml

* reverting file removal to add diff changes

* changeing rule contents

* reverting rule changes

* added rule contents

* changed file name

* linted

* reverting lint

detection_rules/etc/non-ecs-schema.json

@@ -149,7 +149,8 @@
   },
   "logs-aws.cloudtrail-*": {
     "aws.cloudtrail.flattened.request_parameters.cidrIp": "keyword",
-    "aws.cloudtrail.flattened.request_parameters.fromPort": "keyword"
+    "aws.cloudtrail.flattened.request_parameters.fromPort": "keyword",
+    "aws.cloudtrail.flattened.request_parameters.roleArn": "keyword"
   },
   "logs-azure.signinlogs-*": {
     "azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword"

rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml

@@ -2,11 +2,11 @@
 creation_date = "2021/09/22"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/07/16"
 
 [rule]
-author = ["Austin Songer"]
-description = "Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target."
+author = ["Elastic", "Austin Songer"]
+description = "Identifies when a user has updated a SAML provider in AWS. SAML providers are used to enable federated access to the AWS Management Console. This activity could be an indication of an attacker attempting to escalate privileges."
 false_positives = [
     """
     SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or
@@ -14,64 +14,53 @@ false_positives = [
     investigated. If known behavior is causing false positives, it can be exempted from the rule.
     """,
 ]
-from = "now-25m"
+from = "now-9m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "AWS SAML Activity"
+name = "AWS IAM SAML Provider Updated"
 note = """## Setup
 
 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
     "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html",
-    "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html",
 ]
-risk_score = 21
+risk_score = 47
 rule_id = "979729e7-0c52-4c4c-b71e-88103304a79f"
-severity = "low"
+severity = "medium"
 tags = [
     "Domain: Cloud",
     "Data Source: AWS",
     "Data Source: Amazon Web Services",
+    "Data Source: AWS IAM",
     "Use Case: Identity and Access Audit",
-    "Tactic: Defense Evasion",
+    "Tactic: Privilege Escalation",
 ]
 timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or
-UpdateSAMLProvider) and event.outcome:success
+event.dataset:aws.cloudtrail
+    and event.provider: iam.amazonaws.com
+    and event.action: UpdateSAMLProvider
+    and event.outcome:success
 '''
 
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
-id = "T1550"
-name = "Use Alternate Authentication Material"
-reference = "https://attack.mitre.org/techniques/T1550/"
+id = "T1484"
+name = "Domain or Tenant Policy Modification"
+reference = "https://attack.mitre.org/techniques/T1484/"
 [[rule.threat.technique.subtechnique]]
-id = "T1550.001"
-name = "Application Access Token"
-reference = "https://attack.mitre.org/techniques/T1550/001/"
+id = "T1484.002"
+name = "Trust Modification"
+reference = "https://attack.mitre.org/techniques/T1484/002/"
 
 
 
 [rule.threat.tactic]
-id = "TA0005"
-name = "Defense Evasion"
-reference = "https://attack.mitre.org/tactics/TA0005/"
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1078"
-name = "Valid Accounts"
-reference = "https://attack.mitre.org/techniques/T1078/"
-
-
-[rule.threat.tactic]
-id = "TA0001"
-name = "Initial Access"
-reference = "https://attack.mitre.org/tactics/TA0001/"
-
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"

rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml

@@ -4,17 +4,25 @@ integration = ["aws"]
 maturity = "production"
 updated_date = "2024/07/23"
 
+
 [rule]
-author = ["Austin Songer"]
+author = ["Elastic", "Austin Songer"]
 description = """
-Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access
-AWS resources. An adversary could use those credentials to move laterally and escalate privileges.
+Identifies when a user has assumed a role in AWS Security Token Service (STS). Users can assume a role to obtain
+temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege
+escalation.
 """
-false_positives = ["Automated processes that use Terraform may lead to false positives."]
+false_positives = [
+    "AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes.",
+    "Applications integrated with AWS might assume roles to access AWS resources.",
+    """
+    Automated workflows might assume roles to perform periodic tasks such as data backups, updates, or deployments.
+    """,
+]
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "AWS Security Token Service (STS) AssumeRole Usage"
+name = "AWS STS Temporary Credentials via AssumeRole"
 note = """## Setup
 
 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
@@ -31,11 +39,14 @@ tags = [
     "Tactic: Privilege Escalation",
 ]
 timestamp_override = "event.ingested"
-type = "query"
+type = "new_terms"
 
 query = '''
-event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumeRole and
-aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success
+event.dataset:aws.cloudtrail
+    and event.provider:sts.amazonaws.com
+    and event.action:AssumeRole*
+    and event.outcome:success
+    and user.id:*
 '''
 
 
@@ -69,3 +80,11 @@ id = "TA0008"
 name = "Lateral Movement"
 reference = "https://attack.mitre.org/tactics/TA0008/"
 
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["user.id", "aws.cloudtrail.flattened.request_parameters.roleArn"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-10d"
+
+

tests/test_specific_rules.py

@@ -17,6 +17,7 @@ from detection_rules.integrations import (
     load_integrations_manifests,
     load_integrations_schemas,
 )
+from detection_rules import ecs
 from detection_rules.config import load_current_package_version
 from detection_rules.packaging import current_stack_version
 from detection_rules.rule import QueryValidator
@@ -123,6 +124,8 @@ class TestNewTerms(BaseRuleTest):
                 # checks if new terms field(s) are in ecs, beats non-ecs or integration schemas
                 queryvalidator = QueryValidator(rule.contents.data.query)
                 _, _, schema = queryvalidator.get_beats_schema([], beats_version, ecs_version)
+                for index_name in rule.contents.data.index:
+                    schema.update(**ecs.flatten(ecs.get_index_schema(index_name)))
                 integration_manifests = load_integrations_manifests()
                 integration_schemas = load_integrations_schemas()
                 integration_tags = meta.get("integration")