[New Rule] AWS KMS CMK Disabled or Scheduled for Deletion (#2318)

* [New Rule] AWS KMS CMK Disabled or Scheduled for Deletion * Fixed double double quotes Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Add min_stack metadata Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rule description as per suggestion Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Remove MITRE ATT&CK tactic Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rule_id Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Indent false positive section Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Keep ownership as per suggestion Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rule name Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Fix FPs section * Delete .dccache * Revert "Update rule name" This reverts commit 8611c926dfe312f897399343c19d2a37783ada71. * Revert "Fix FPs section" This reverts commit 14148392dadf9a7870be1b0b4dbacf311dbbb4af. * Update FPs section * Delete .dccache * Update rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
2022-10-20 19:29:08 +02:00
parent 183b1ffdd3
commit 4615b462be
1 changed files with 58 additions and 0 deletions
@@ -0,0 +1,58 @@
+[metadata]
+creation_date = "2022/09/21"
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2022/09/21"
+integration = "aws"
+
+[rule]
+author = ["Xavier Pich"]
+description = """
+Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS
+key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key
+and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be
+decrypted, which means that data becomes unrecoverable.
+"""
+false_positives = [
+    """
+    A KMS customer managed key may be disabled or scheduled for deletion by a system administrator. Verify whether the user identity, user agent, 
+    and/or hostname should be making changes in your environment. Key deletions by unfamiliar users should be investigated. If known behavior is
+    causing false positives, it can be exempted from the rule.
+    """,
+]
+from = "now-60m"
+index = ["filebeat-*", "logs-aws*"]
+interval = "10m"
+language = "kuery"
+license = "Elastic License v2"
+name = "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion"
+note = """## Setup
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = [
+    "https://docs.aws.amazon.com/cli/latest/reference/kms/disable-key.html",
+    "https://docs.aws.amazon.com/cli/latest/reference/kms/schedule-key-deletion.html",
+]
+risk_score = 47
+rule_id = "6951f15e-533c-4a60-8014-a3c3ab851a1b"
+severity = "medium"
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Impact"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:("DisableKey" or "ScheduleKeyDeletion") and event.outcome:success
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1485"
+name = "Data Destruction"
+reference = "https://attack.mitre.org/techniques/T1485/"
+[rule.threat.tactic]
+id = "TA0040"
+name = "Impact"
+reference = "https://attack.mitre.org/tactics/TA0040/"
+