From 71d93e875e60e64a70e41417103f4701a5cb9515 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Wed, 3 May 2023 09:28:59 -0400 Subject: [PATCH] [Rule Tuning] Tuning 'AWS Access Secret in Secrets Manager' to New Terms (#2760) * [Rule Tuning] Tuning 'AWS Access Secret in Secrets Manager' to New Terms * updated new terms --- ..._terms_secretsmanager_getsecretvalue.toml} | 28 +++++++++++++------ 1 file changed, 19 insertions(+), 9 deletions(-) rename rules/integrations/aws/{credential_access_secretsmanager_getsecretvalue.toml => credential_access_new_terms_secretsmanager_getsecretvalue.toml} (82%) diff --git a/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml similarity index 82% rename from rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml rename to rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml index 76e60b06d..f35bc5553 100644 --- a/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml +++ b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml @@ -3,14 +3,14 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/03/06" +min_stack_version = "8.6.0" +updated_date = "2023/04/26" [rule] author = ["Nick Jones", "Elastic"] description = """ -An adversary may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive -material +An adversary equipped with compromised credentials may attempt to access the secrets in secrets manager to steal +certificates, credentials, or other sensitive material. """ false_positives = [ """ @@ -23,14 +23,14 @@ index = ["filebeat-*", "logs-aws*"] interval = "10m" language = "kuery" license = "Elastic License v2" -name = "AWS Access Secret in Secrets Manager" +name = "First Time Seen AWS Secret Value Accessed in Secrets Manager" note = """## Triage and analysis -### Investigating AWS Access Secret in Secrets Manager +### Investigating First Time Seen AWS Secret Value Accessed in Secrets Manager AWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. -This rule looks for the retrieval of credentials using the API `GetSecretValue` action. +This rule looks for the retrieval of credentials using `GetSecretValue` action in Secrets Manager programmatically. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a secret value from Secrets Manager. #### Possible investigation steps @@ -93,10 +93,12 @@ tags = [ "Investigation Guide", ] timestamp_override = "event.ingested" -type = "query" +type = "new_terms" query = ''' -event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue +event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and + event.action:GetSecretValue and event.outcome:success and + not user_agent.name: ("Chrome" or "Firefox" or "Safari" or "Edge" or "Brave" or "Opera" or "aws-cli") ''' @@ -113,3 +115,11 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[rule.new_terms] +field = "new_terms_fields" +value = ["aws.cloudtrail.user_identity.access_key_id", "aws.cloudtrail.request_parameters"] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-15d" + +