[New Rule] AWS EC2 VM Export Failure (#1142)
* New Rule: AWS EC2 VM Export Failure
* Update exfiltration_ec2_vm_export_failure.toml
* Update exfiltration_ec2_vm_export_failure.toml
* Update exfiltration_ec2_vm_export_failure.toml
* Update exfiltration_ec2_vm_export_failure.toml
* Update exfiltration_ec2_vm_export_failure.toml
* Update exfiltration_ec2_vm_export_failure.toml
* Update exfiltration_ec2_vm_export_failure.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
(cherry picked from commit 6b45186827)
This commit is contained in:
Austin Songer
committed by
github-actions[bot]
github-actions[bot]
parent
1eb36b1a9e
commit
5d41f2719a
@@ -0,0 +1,62 @@
|
||||
[metadata]
|
||||
creation_date = "2021/04/22"
|
||||
maturity = "production"
|
||||
updated_date = "2021/04/22"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic", "Austin Songer"]
|
||||
description = """
|
||||
Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information.
|
||||
"""
|
||||
false_positives = [
|
||||
"""
|
||||
VM exports may be done by a system or network administrator. Verify whether the user identity, user agent, and/or
|
||||
hostname should be making changes in your environment. VM exports from unfamiliar users or hosts should be
|
||||
investigated. If known behavior is causing false positives, it can be exempted from the rule.
|
||||
""",
|
||||
]
|
||||
from = "now-60m"
|
||||
index = ["filebeat-*", "logs-aws*"]
|
||||
interval = "10m"
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "AWS EC2 VM Export Failure"
|
||||
note = """## Config
|
||||
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
|
||||
references = ["https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance"]
|
||||
risk_score = 21
|
||||
rule_id = "e919611d-6b6f-493b-8314-7ed6ac2e413b"
|
||||
severity = "low"
|
||||
tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
reference = "https://attack.mitre.org/techniques/T1537/"
|
||||
id = "T1537"
|
||||
name = "Transfer Data to Cloud Account"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
reference = "https://attack.mitre.org/tactics/TA0010/"
|
||||
id = "TA0010"
|
||||
name = "Exfiltration"
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
reference = "https://attack.mitre.org/techniques/T1005/"
|
||||
id = "T1005"
|
||||
name = "Data from Local System"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
reference = "https://attack.mitre.org/tactics/TA0009/"
|
||||
id = "TA0009"
|
||||
name = "Collection"
|
||||
Reference in New Issue
Block a user