security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Tuning 'AWS Access Secret in Secrets Manager' to New Terms (#2760)

Browse Source 
* [Rule Tuning] Tuning 'AWS Access Secret in Secrets Manager' to New Terms

* updated new terms
This commit is contained in:
Terrance DeJesus
2023-05-03 09:28:59 -04:00
committed by GitHub
parent 6524acf98a
commit 71d93e875e
1 changed files with 19 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml → rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml
+19 -9
View File
@@ -3,14 +3,14 @@ creation_date = "2020/07/06"
integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
min_stack_version = "8.6.0"
updated_date = "2023/04/26"
[rule]
author = ["Nick Jones", "Elastic"]
description = """
An adversary may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive
material
An adversary equipped with compromised credentials may attempt to access the secrets in secrets manager to steal
certificates, credentials, or other sensitive material.
"""
false_positives = [
"""
@@ -23,14 +23,14 @@ index = ["filebeat-*", "logs-aws*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS Access Secret in Secrets Manager"
name = "First Time Seen AWS Secret Value Accessed in Secrets Manager"
note = """## Triage and analysis
### Investigating AWS Access Secret in Secrets Manager
### Investigating First Time Seen AWS Secret Value Accessed in Secrets Manager
AWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.
This rule looks for the retrieval of credentials using the API `GetSecretValue` action.
This rule looks for the retrieval of credentials using `GetSecretValue` action in Secrets Manager programmatically. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a secret value from Secrets Manager.
#### Possible investigation steps
@@ -93,10 +93,12 @@ tags = [
"Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
type = "new_terms"
query = '''
event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue
event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and
event.action:GetSecretValue and event.outcome:success and
not user_agent.name: ("Chrome" or "Firefox" or "Safari" or "Edge" or "Brave" or "Opera" or "aws-cli")
'''
@@ -113,3 +115,11 @@ id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[rule.new_terms]
field = "new_terms_fields"
value = ["aws.cloudtrail.user_identity.access_key_id", "aws.cloudtrail.request_parameters"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-15d"