security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] AWS EventBridge Rule Disabled or Deleted (#1572)

Browse Source 
* Create aws_eventbridge_rule_disabled_or_deleted.toml

* Update aws_eventbridge_rule_disabled_or_deleted.toml

* Update aws_eventbridge_rule_disabled_or_deleted.toml

* Update aws_eventbridge_rule_disabled_or_deleted.toml

* Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update aws_eventbridge_rule_disabled_or_deleted.toml

* Rename aws_eventbridge_rule_disabled_or_deleted.toml to impact_aws_eventbridge_rule_disabled_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 3ab67d1562)
This commit is contained in:
Austin Songer
2021-10-18 13:36:21 -05:00
committed by github-actions[bot]
parent b1e60b6c45
commit db54ea7467
1 changed files with 51 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml
+51
View File
@@ -0,0 +1,51 @@
[metadata]
creation_date = "2021/10/17"
maturity = "production"
updated_date = "2021/10/17"
integration = "aws"
[rule]
author = ["Austin Songer"]
description = """
Identifies when a user disabled or deleted an EventBridge rule. This activity can result in an unintended loss of
visibility in applications or breaking the flow with other AWS services.
"""
false_positives = [
"""
EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user agent, and/or
hostname should be making changes in your environment. EventBridge Rules being deleted or disabled from unfamiliar users should
be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-20m"
index = ["filebeat-*", "logs-aws*"]
language = "kuery"
license = "Elastic License v2"
name = "AWS EventBridge Rule Disabled or Deleted"
note = """## Config
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html",
"https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html",
]
risk_score = 21
rule_id = "87594192-4539-4bc4-8543-23bc3d5bd2b4"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and
event.outcome:success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"