From 4615b462be975c41aa2efdc60fff6b03107b4b51 Mon Sep 17 00:00:00 2001 From: Xavier G Pich <10544080+xavigpich@users.noreply.github.com> Date: Thu, 20 Oct 2022 19:29:08 +0200 Subject: [PATCH] [New Rule] AWS KMS CMK Disabled or Scheduled for Deletion (#2318) * [New Rule] AWS KMS CMK Disabled or Scheduled for Deletion * Fixed double double quotes Co-authored-by: Jonhnathan * Add min_stack metadata Co-authored-by: Jonhnathan * Update rule description as per suggestion Co-authored-by: Jonhnathan * Remove MITRE ATT&CK tactic Co-authored-by: Jonhnathan * Update rule_id Co-authored-by: Jonhnathan * Indent false positive section Co-authored-by: Jonhnathan * Keep ownership as per suggestion Co-authored-by: Jonhnathan * Update rule name Co-authored-by: Jonhnathan * Fix FPs section * Delete .dccache * Revert "Update rule name" This reverts commit 8611c926dfe312f897399343c19d2a37783ada71. * Revert "Fix FPs section" This reverts commit 14148392dadf9a7870be1b0b4dbacf311dbbb4af. * Update FPs section * Delete .dccache * Update rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml Co-authored-by: Jonhnathan Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --- ...mk_disabled_or_scheduled_for_deletion.toml | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml diff --git a/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml new file mode 100644 index 000000000..10ff682d4 --- /dev/null +++ b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml @@ -0,0 +1,58 @@ +[metadata] +creation_date = "2022/09/21" +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/09/21" +integration = "aws" + +[rule] +author = ["Xavier Pich"] +description = """ +Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS +key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key +and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be +decrypted, which means that data becomes unrecoverable. +""" +false_positives = [ + """ + A KMS customer managed key may be disabled or scheduled for deletion by a system administrator. Verify whether the user identity, user agent, + and/or hostname should be making changes in your environment. Key deletions by unfamiliar users should be investigated. If known behavior is + causing false positives, it can be exempted from the rule. + """, +] +from = "now-60m" +index = ["filebeat-*", "logs-aws*"] +interval = "10m" +language = "kuery" +license = "Elastic License v2" +name = "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion" +note = """## Setup + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +references = [ + "https://docs.aws.amazon.com/cli/latest/reference/kms/disable-key.html", + "https://docs.aws.amazon.com/cli/latest/reference/kms/schedule-key-deletion.html", +] +risk_score = 47 +rule_id = "6951f15e-533c-4a60-8014-a3c3ab851a1b" +severity = "medium" +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Impact"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:("DisableKey" or "ScheduleKeyDeletion") and event.outcome:success +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" +