diff --git a/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml similarity index 82% rename from rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml rename to rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml index 76e60b06d..f35bc5553 100644 --- a/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml +++ b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml @@ -3,14 +3,14 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/03/06" +min_stack_version = "8.6.0" +updated_date = "2023/04/26" [rule] author = ["Nick Jones", "Elastic"] description = """ -An adversary may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive -material +An adversary equipped with compromised credentials may attempt to access the secrets in secrets manager to steal +certificates, credentials, or other sensitive material. """ false_positives = [ """ @@ -23,14 +23,14 @@ index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License v2" -name = "AWS Access Secret in Secrets Manager" +name = "First Time Seen AWS Secret Value Accessed in Secrets Manager" note = """## Triage and analysis -### Investigating AWS Access Secret in Secrets Manager +### Investigating First Time Seen AWS Secret Value Accessed in Secrets Manager AWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. -This rule looks for the retrieval of credentials using the API `GetSecretValue` action. +This rule looks for the retrieval of credentials using `GetSecretValue` action in Secrets Manager programmatically. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a secret value from Secrets Manager. #### Possible investigation steps @@ -93,10 +93,12 @@ tags = [ "Investigation Guide", ] timestamp_override = "event.ingested" -type = "query" +type = "new_terms" query = ''' -event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue +event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and + event.action:GetSecretValue and event.outcome:success and + not user_agent.name: ("Chrome" or "Firefox" or "Safari" or "Edge" or "Brave" or "Opera" or "aws-cli") ''' @@ -113,3 +115,11 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[rule.new_terms] +field = "new_terms_fields" +value = ["aws.cloudtrail.user_identity.access_key_id", "aws.cloudtrail.request_parameters"] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-15d" + +