From bf1dc2547f58e92b23fca3d937dbdb64d29442ec Mon Sep 17 00:00:00 2001
From: Isai <59296946+imays11@users.noreply.github.com>
Date: Fri, 27 Jun 2025 13:24:27 -0400
Subject: [PATCH] [Rule Tunings] AWS SSM Command Document Created by Rare User
 (#4848)

* [Rule Tunings] AWS SSM Command Document Created by Rare User

## AWS SSM Command Document Created by Rare User
Rule executes as expected and has very few alerts in telemetry. However, it is one of the rules timing out occasionally.
- reduced execution window
- reduced new terms history window
- replaced wildcards with the flattened field in the query, which should improve performance
- replaced `aws.cloudtrail.user_identity.arn` with combination of `cloud.account.id` and `user.name` to account for Assumed Roles. This will only evaluate the role instead of each individual role session, which will improve performance.
- added investigation fields
- corrected tags
- added mitre technique

## AWS SSM `SendCommand` Execution by Rare User"
- added investigation fields
- added tag

* update pyproject.toml

update pyproject.toml version
---
 detection_rules/etc/non-ecs-schema.json       |  3 +-
 pyproject.toml                                |  2 +-
 ...command_document_created_by_rare_user.toml | 33 ++++++++++---------
 ...xecution_ssm_sendcommand_by_rare_user.toml | 19 ++++++++++-
 4 files changed, 39 insertions(+), 18 deletions(-)

diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
index d9aa02215..796333911 100644
--- a/detection_rules/etc/non-ecs-schema.json
+++ b/detection_rules/etc/non-ecs-schema.json
@@ -175,7 +175,8 @@
     "aws.cloudtrail.flattened.request_parameters.attribute": "keyword",
     "aws.cloudtrail.flattened.request_parameters.reason": "keyword",
     "aws.cloudtrail.flattened.request_parameters.omitted": "keyword",
-    "aws.cloudtrail.flattened.request_parameters.ownersSet.items.owner": "keyword"
+    "aws.cloudtrail.flattened.request_parameters.ownersSet.items.owner": "keyword",
+    "aws.cloudtrail.flattened.response_elements.documentDescription.documentType": "keyword"
   },
   "logs-azure.signinlogs-*": {
     "azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword",
diff --git a/pyproject.toml b/pyproject.toml
index c405e6f0d..0cd15ae17 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.2.25"
+version = "1.2.26"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"
diff --git a/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml b/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml
index d3dc371b5..b69d06a25 100644
--- a/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml
+++ b/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml
@@ -2,22 +2,19 @@
 creation_date = "2024/11/01"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/01/10"
+updated_date = "2025/06/25"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies when an AWS Systems Manager (SSM) command document is created by a user who does not typically perform this
-action. Adversaries may create SSM command documents to execute commands on managed instances, potentially leading to
-unauthorized access, command and control, data exfiltration and more.
+Identifies when an AWS Systems Manager (SSM) command document is created by a user or role who does not typically perform this action. Adversaries may create SSM command documents to execute commands on managed instances, potentially leading to unauthorized access, command and control, data exfiltration and more.
 """
 false_positives = [
     """
-    Legitimate users may create SSM command documents for legitimate purposes. Ensure that the document is authorized
-    and the user is known before taking action.
+    Legitimate users may create SSM command documents for legitimate purposes. Ensure that the document is authorized and the user is known before taking action.
     """,
 ]
-from = "now-9m"
+from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 language = "kuery"
 license = "Elastic License v2"
@@ -34,7 +31,7 @@ This rule identifies when an AWS Systems Manager (SSM) command document is creat
 - **Analyze the Document Details**:
   - **Document Name**: Check the `aws.cloudtrail.request_parameters.name` field for the document name to understand its intended purpose.
   - **Document Content**: If possible, review `aws.cloudtrail.request_parameters.content` for any sensitive or unexpected instructions (e.g., actions for data exfiltration or privilege escalation). If not available via logs, consider reviewing the document in the AWS Management Console.
-- **Contextualize the Activity with Related Events**: Look for other CloudTrail events involving the same user ARN or IP address (`source.address`). Examine actions performed in other AWS services, such as IAM, EC2, or S3, to identify if additional suspicious behavior exists. The `SendCommand` API call may indicate attempts to execute the SSM document on managed instances.
+- **Contextualize the Activity with Related Events**: Look for other CloudTrail events involving the same user ARN or IP address (`source.ip`). Examine actions performed in other AWS services, such as IAM, EC2, or S3, to identify if additional suspicious behavior exists. The `SendCommand` API call may indicate attempts to execute the SSM document on managed instances.
 - **Check Document Status and Metadata**:
   - **Document Status**: Confirm the document creation status in `aws.cloudtrail.response_elements.documentDescription.status`. A status of `Creating` may indicate that the document is in progress.
   - **Execution Permissions**: Review if the document specifies `platformTypes` and `documentVersion` in `aws.cloudtrail.response_elements.documentDescription` to understand which environments may be impacted and if multiple versions exist.
@@ -66,7 +63,7 @@ tags = [
     "Domain: Cloud",
     "Data Source: AWS",
     "Data Source: Amazon Web Services",
-    "Data Source: AWS SNS",
+    "Data Source: AWS SSM",
     "Data Source: AWS Systems Manager",
     "Resources: Investigation Guide",
     "Use Case: Threat Detection",
@@ -80,26 +77,32 @@ event.dataset: "aws.cloudtrail"
     and event.provider: "ssm.amazonaws.com"
     and event.action: "CreateDocument"
     and event.outcome: "success"
-    and aws.cloudtrail.response_elements: *documentType=Command*
+    and aws.cloudtrail.flattened.response_elements.documentDescription.documentType: "Command"
 '''
 
 [rule.investigation_fields]
 field_names = [
     "@timestamp",
     "user.name",
-    "source.address",
+    "user_agent.original",
+    "source.ip",
     "aws.cloudtrail.user_identity.arn",
     "aws.cloudtrail.user_identity.type",
-    "user_agent.original",
+    "aws.cloudtrail.user_identity.access_key_id",
     "event.action",
     "event.outcome",
+    "cloud.account.id",
     "cloud.region",
     "aws.cloudtrail.request_parameters",
-    "aws.cloudtrail.response_elements",
+    "aws.cloudtrail.response_elements"
 ]
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1651"
+name = "Cloud Administration Command"
+reference = "https://attack.mitre.org/techniques/T1651/"
 
 [rule.threat.tactic]
 id = "TA0002"
@@ -108,7 +111,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
 
 [rule.new_terms]
 field = "new_terms_fields"
-value = ["aws.cloudtrail.user_identity.arn"]
+value = ["cloud.account.id", "user.name"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-14d"
+value = "now-10d"
diff --git a/rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml b/rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml
index 281459abd..26486f5bf 100644
--- a/rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml
+++ b/rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/07/06"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/06/19"
+updated_date = "2025/06/25"
 
 [rule]
 author = ["Elastic"]
@@ -77,6 +77,7 @@ tags = [
     "Data Source: AWS",
     "Data Source: Amazon Web Services",
     "Data Source: AWS SSM",
+    "Data Source: AWS Systems Manager",
     "Use Case: Log Auditing",
     "Use Case: Threat Detection",
     "Tactic: Execution",
@@ -97,6 +98,22 @@ event.dataset: "aws.cloudtrail"
     )
 '''
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+    "aws.cloudtrail.response_elements"
+]
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"