diff --git a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml new file mode 100644 index 000000000..0efa95cf8 --- /dev/null +++ b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml @@ -0,0 +1,51 @@ +[metadata] +creation_date = "2021/10/17" +maturity = "production" +updated_date = "2021/10/17" +integration = "aws" + +[rule] +author = ["Austin Songer"] +description = """ +Identifies when a user disabled or deleted an EventBridge rule. This activity can result in an unintended loss of +visibility in applications or breaking the flow with other AWS services. +""" +false_positives = [ + """ + EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user agent, and/or + hostname should be making changes in your environment. EventBridge Rules being deleted or disabled from unfamiliar users should + be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-20m" +index = ["filebeat-*", "logs-aws*"] +language = "kuery" +license = "Elastic License v2" +name = "AWS EventBridge Rule Disabled or Deleted" +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +references = [ + "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html", + "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html", +] +risk_score = 21 +rule_id = "87594192-4539-4bc4-8543-23bc3d5bd2b4" +severity = "low" +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"] +timestamp_override = "event.ingested" +type = "query" + + +query = ''' +event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and +event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/"