From ba095969493df64febfef897f92f68811a3fb218 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Tue, 26 Oct 2021 08:25:53 -0500 Subject: [PATCH] [New Rule] AWS Route Table Created (#1257) * Update impact_iam_deactivate_mfa_device.toml https://github.com/elastic/detection-rules/issues/1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "*ipapi.co", "*ip-lookup.net", "*ipstack.com" * Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create persistence_route_table_created.toml * Update persistence_route_table_created.toml * Update rules/persistence_route_table_created.toml Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> * Update persistence_route_table_created.toml * Update .gitignore Co-authored-by: Jonhnathan * Update persistence_route_table_created.toml * Update * Update Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Jonhnathan (cherry picked from commit 89553d84a91d8623294beebe57419d1ae3891a26) --- .../aws/persistence_route_table_created.toml | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 rules/integrations/aws/persistence_route_table_created.toml diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml new file mode 100644 index 000000000..1c90f0280 --- /dev/null +++ b/rules/integrations/aws/persistence_route_table_created.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2021/06/05" +maturity = "production" +updated_date = "2021/10/15" +integration = "aws" + +[rule] +author = ["Elastic", "Austin Songer"] +description = "Identifies when an AWS Route Table has been created." +false_positives = [ + """ + Route Table being created may be done by a system or network administrator. Verify whether the user identity, user + agent, and/or hostname should be making changes in your environment. Route Table being created from unfamiliar users or + hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + + Automated processes that uses Terraform may lead to false positives. + """, +] +from = "now-60m" +index = ["filebeat-*", "logs-aws*"] +interval = "10m" +language = "kuery" +license = "Elastic License v2" +name = "AWS Route Table Created" +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +references = [ + "https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-route-table-modified/", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable", +] +risk_score = 21 +rule_id = "e12c0318-99b1-44f2-830c-3a38a43207ca" +severity = "low" +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and +event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +reference = "https://attack.mitre.org/tactics/TA0003/" +name = "Persistence" +id = "TA0003"