security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] First Time Seen AWS Secret Value Accessed in Secrets Manager (#4992)

Browse Source 
This rule is evaluating the "new terms" against every individual role session, rather than against the Role itself. This is causing a massive volume of alerts
- updated rule description and investigation guide
- reduced execution window and interval
- replaced new terms from `user.id` to combination of `cloud.account.id` and `user.name` to account for evaluation against Roles and in the event that separate AWS accounts under the same Org reuse IAM user names. This will only evaluate the Role instead of each individual role session, which should greatly improve performance.
This commit is contained in:
Isai
2025-08-25 12:00:47 -04:00
committed by GitHub
parent df179f0ab1
commit bfb29ecf37
1 changed files with 22 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml
+22 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2020/07/06"
integration = ["aws"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2025/08/18"
[rule]
author = ["Nick Jones", "Elastic"]
@@ -12,8 +12,7 @@ attempt to leverage the compromised service to access secrets in AWS Secrets Man
a specific user identity has programmatically retrieved a secret value from Secrets Manager using the `GetSecretValue`
or `BatchGetSecretValue` actions. This rule assumes that AWS services such as Lambda functions and EC2 instances are
setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An
adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely
on the compromised service's IAM role to access the secrets in Secrets Manager.
adversary with access to a compromised AWS service would rely on its' attached role to access the secrets in Secrets Manager.
"""
false_positives = [
"""
@@ -21,9 +20,9 @@ false_positives = [
SecretId. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-60m"
from = "now-6m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
interval = "10m"
interval = "5m"
language = "kuery"
license = "Elastic License v2"
name = "First Time Seen AWS Secret Value Accessed in Secrets Manager"
@@ -33,7 +32,7 @@ note = """## Triage and analysis
AWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.
This rule looks for the retrieval of credentials using `GetSecretValue` action in Secrets Manager programmatically. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a specific secret value from Secrets Manager within the last 15 days.
This rule looks for the retrieval of credentials from Secrets Manager using `GetSecretValue` or `BatchGetSecretValue` API calls. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a secret value from Secrets Manager.
#### Possible investigation steps
@@ -53,7 +52,7 @@ This rule looks for the retrieval of credentials using `GetSecretValue` action i
### False positive analysis
- Review `user.id` values for expected ARNs. If this is an expected behavior, consider adding exceptions to the rule.
- Review `actor.entity.id` and `target.entity.id` values for expected combinations of identity and secret value access. If this is an expected behavior, consider adding exceptions to the rule.
- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions — preferably with a combination of user agent and IP address conditions.
### Response and remediation
@@ -101,6 +100,21 @@ event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and
not user_agent.name: ("Chrome" or "Firefox" or "Safari" or "Edge" or "Brave" or "Opera")
'''
[rule.investigation_fields]
field_names = [
"@timestamp",
"user.name",
"user_agent.original",
"source.ip",
"aws.cloudtrail.user_identity.arn",
"aws.cloudtrail.user_identity.type",
"aws.cloudtrail.user_identity.access_key_id",
"event.action",
"event.outcome",
"cloud.account.id",
"cloud.region",
"aws.cloudtrail.request_parameters"
]
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -122,7 +136,7 @@ reference = "https://attack.mitre.org/tactics/TA0006/"
[rule.new_terms]
field = "new_terms_fields"
value = ["user.id"]
value = ["cloud.account.id", "user.name"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-10d"