From b8a3f43b9932fca1095a17fe69c59745fc3b1435 Mon Sep 17 00:00:00 2001
From: Austin Songer <austin@songer.pro>
Date: Tue, 22 Jun 2021 01:00:48 -0500
Subject: [PATCH] [New Rule] EC2 Full Network Packet Capture Detected (#1175)

(cherry picked from commit d7e0e37e54d229f414173505727faa0580b85dcc)
---
 ..._full_network_packet_capture_detected.toml | 72 +++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 rules/aws/exfiltration_ec2_full_network_packet_capture_detected.toml

diff --git a/rules/aws/exfiltration_ec2_full_network_packet_capture_detected.toml b/rules/aws/exfiltration_ec2_full_network_packet_capture_detected.toml
new file mode 100644
index 000000000..27b30d340
--- /dev/null
+++ b/rules/aws/exfiltration_ec2_full_network_packet_capture_detected.toml
@@ -0,0 +1,72 @@
+[metadata]
+creation_date = "2021/05/05"
+maturity = "production"
+updated_date = "2021/05/05"
+
+[rule]
+author = ["Elastic", "Austin Songer"]
+description = """
+Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon
+VPC feature that you can use to copy network traffic from an elastic network interface. This feature can potentially be
+abused to exfiltrate sensitive data from unencrypted internal traffic.
+"""
+false_positives = [
+    """
+    Traffic Mirroring may be done by a system or network administrator. Verify whether the user identity, user agent,
+    and/or hostname should be making changes in your environment. Traffic Mirroring from unfamiliar users or hosts
+    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    """,
+]
+from = "now-60m"
+index = ["filebeat-*", "logs-aws*"]
+interval = "10m"
+language = "kuery"
+license = "Elastic License v2"
+name = "AWS EC2 Full Network Packet Capture Detected"
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = [
+    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorFilter.html",
+    "https://github.com/easttimor/aws-incident-response",
+]
+risk_score = 47
+rule_id = "c1812764-0788-470f-8e74-eb4a14d47573"
+severity = "medium"
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and 
+event.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and 
+event.outcome:success
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+reference = "https://attack.mitre.org/techniques/T1020/"
+name = "Automated Exfiltration"
+id = "T1020"
+
+
+[rule.threat.tactic]
+reference = "https://attack.mitre.org/tactics/TA0010/"
+name = "Exfiltration"
+id = "TA0010"
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+reference = "https://attack.mitre.org/techniques/T1074/"
+name = "Data Staged"
+id = "T1074"
+
+
+[rule.threat.tactic]
+reference = "https://attack.mitre.org/tactics/TA0009/"
+name = "Collection"
+id = "TA0009"