From 5d41f2719a8fc49a27c4ef3b2e5e2e6d80adb9c7 Mon Sep 17 00:00:00 2001
From: Austin Songer <austin@songer.pro>
Date: Wed, 9 Jun 2021 14:03:37 -0500
Subject: [PATCH] [New Rule] AWS EC2 VM Export Failure (#1142)

* New Rule: AWS EC2 VM Export Failure

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
(cherry picked from commit 6b45186827f5455212f98f6eddf688a4f601fc8c)
---
 .../exfiltration_ec2_vm_export_failure.toml   | 62 +++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 rules/aws/exfiltration_ec2_vm_export_failure.toml

diff --git a/rules/aws/exfiltration_ec2_vm_export_failure.toml b/rules/aws/exfiltration_ec2_vm_export_failure.toml
new file mode 100644
index 000000000..bda445657
--- /dev/null
+++ b/rules/aws/exfiltration_ec2_vm_export_failure.toml
@@ -0,0 +1,62 @@
+[metadata]
+creation_date = "2021/04/22"
+maturity = "production"
+updated_date = "2021/04/22"
+
+[rule]
+author = ["Elastic", "Austin Songer"]
+description = """
+Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information.
+"""
+false_positives = [
+    """
+    VM exports may be done by a system or network administrator. Verify whether the user identity, user agent, and/or
+    hostname should be making changes in your environment. VM exports from unfamiliar users or hosts should be
+    investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    """,
+]
+from = "now-60m"
+index = ["filebeat-*", "logs-aws*"]
+interval = "10m"
+language = "kuery"
+license = "Elastic License v2"
+name = "AWS EC2 VM Export Failure"
+note = """## Config
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = ["https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance"]
+risk_score = 21
+rule_id = "e919611d-6b6f-493b-8314-7ed6ac2e413b"
+severity = "low"
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+reference = "https://attack.mitre.org/techniques/T1537/"
+id = "T1537"
+name = "Transfer Data to Cloud Account"
+
+
+[rule.threat.tactic]
+reference = "https://attack.mitre.org/tactics/TA0010/"
+id = "TA0010"
+name = "Exfiltration"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+reference = "https://attack.mitre.org/techniques/T1005/"
+id = "T1005"
+name = "Data from Local System"
+
+
+[rule.threat.tactic]
+reference = "https://attack.mitre.org/tactics/TA0009/"
+id = "TA0009"
+name = "Collection"