security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] AWS Config Service Tampering (#1108)

Browse Source 
* Update defense_evasion_config_service_rule_deletion.toml
This commit is contained in:
Brent Murphy
2021-04-14 17:13:27 -04:00
committed by GitHub
parent 4a46b2f03b
commit c1fd3b3374
1 changed files with 10 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/aws/defense_evasion_config_service_rule_deletion.toml
+10 -7
View File
@@ -1,18 +1,18 @@
[metadata]
creation_date = "2020/06/26"
maturity = "production"
updated_date = "2021/03/22"
updated_date = "2021/04/13"
[rule]
author = ["Elastic"]
author = ["Elastic", "Austin Songer"]
description = """
Identifies attempts to delete an AWS Config Service rule. An adversary may tamper with Config rules in order to reduce
visibiltiy into the security posture of an account and / or its workload instances.
Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to
reduce visibility into the security posture of an account and / or its workload instances.
"""
false_positives = [
"""
Privileged IAM users with security responsibilities may be expected to make changes to the Config rules in order to
align with local security policies and requirements. Automation, orchestration, and security tools may also make
Privileged IAM users with security responsibilities may be expected to make changes to the Config service in order
to align with local security policies and requirements. Automation, orchestration, and security tools may also make
changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds
of user or service contexts do not commonly make changes to this service.
""",
@@ -36,7 +36,10 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:DeleteConfigRule
event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and
event.action:(DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or
DeleteConfigurationRecorder or DeleteConformancePack or DeleteOrganizationConformancePack or
DeleteDeliveryChannel or DeleteRemediationConfiguration or DeleteRetentionConfiguration)
'''