security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] AWS Redshift Cluster Creation (#1921)

Browse Source 
* Add rule for Redshift data warehouse creation.

* Add fp block.

* Add AWS integration metadata.

* Add timestamp override.

* Add note.

* Update rules/integrations/aws/persistence_redshift_instance_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/persistence_redshift_instance_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update description for redshift instance creation.

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
This commit is contained in:
Pete Hampton
2022-04-28 19:43:26 +01:00
committed by GitHub
parent f050b0ce0c
commit 34655374c1
1 changed files with 50 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/aws/persistence_redshift_instance_creation.toml
+50
View File
@@ -0,0 +1,50 @@
[metadata]
creation_date = "2022/04/12"
maturity = "production"
updated_date = "2022/04/12"
integration = "aws"
[rule]
author = ["Elastic"]
description = """
Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user
may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured
and could introduce security vulnerabilities.
"""
false_positives = [
"""
Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent,
and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts
should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-60m"
index = ["filebeat-*", "logs-aws*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS Redshift Cluster Creation"
note = """## Config
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = ["https://docs.aws.amazon.com/redshift/latest/APIReference/API_CreateCluster.html"]
risk_score = 21
rule_id = "015cca13-8832-49ac-a01b-a396114809f6"
severity = "low"
timestamp_override = "event.ingested"
tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"]
type = "query"
query = '''
event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"