From c1fd3b33747513b36d0109b2c4fbb0c5a4d4e34b Mon Sep 17 00:00:00 2001
From: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Date: Wed, 14 Apr 2021 17:13:27 -0400
Subject: [PATCH] [Rule Tuning] AWS Config Service Tampering (#1108)

* Update defense_evasion_config_service_rule_deletion.toml
---
 ...se_evasion_config_service_rule_deletion.toml | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/rules/aws/defense_evasion_config_service_rule_deletion.toml b/rules/aws/defense_evasion_config_service_rule_deletion.toml
index 0a4307f0e..3c07893b1 100644
--- a/rules/aws/defense_evasion_config_service_rule_deletion.toml
+++ b/rules/aws/defense_evasion_config_service_rule_deletion.toml
@@ -1,18 +1,18 @@
 [metadata]
 creation_date = "2020/06/26"
 maturity = "production"
-updated_date = "2021/03/22"
+updated_date = "2021/04/13"
 
 [rule]
-author = ["Elastic"]
+author = ["Elastic", "Austin Songer"]
 description = """
-Identifies attempts to delete an AWS Config Service rule. An adversary may tamper with Config rules in order to reduce
-visibiltiy into the security posture of an account and / or its workload instances.
+Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to
+reduce visibility into the security posture of an account and / or its workload instances.
 """
 false_positives = [
     """
-    Privileged IAM users with security responsibilities may be expected to make changes to the Config rules in order to
-    align with local security policies and requirements. Automation, orchestration, and security tools may also make
+    Privileged IAM users with security responsibilities may be expected to make changes to the Config service in order
+    to align with local security policies and requirements. Automation, orchestration, and security tools may also make
     changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds
     of user or service contexts do not commonly make changes to this service.
     """,
@@ -36,7 +36,10 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:DeleteConfigRule
+event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and
+    event.action:(DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or
+    DeleteConfigurationRecorder or DeleteConformancePack or DeleteOrganizationConformancePack or
+    DeleteDeliveryChannel or DeleteRemediationConfiguration or DeleteRetentionConfiguration)
 '''