diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml new file mode 100644 index 000000000..b2c6791de --- /dev/null +++ b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2021/06/29" +maturity = "production" +updated_date = "2021/10/15" +integration = "aws" + +[rule] +author = ["Austin Songer"] +description = """ +Identifies when an attempt was made to restored RDS Snapshot. Snapshots are sometimes shared by threat actors in order to +exfiltrate bulk data. If the permissions were modified, verify if the snapshot was shared with an +unauthorized or unexpected AWS account. +""" +false_positives = [ + """ + Restoring snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, + and/or hostname should be making changes in your environment. Snapshot restoration from unfamiliar users or hosts should + be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +index = ["filebeat-*", "logs-aws*"] +language = "kuery" +license = "Elastic License v2" +name = "AWS RDS Snapshot Restored" +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +references = [ + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html", + "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py", +] +risk_score = 47 +rule_id = "bf1073bf-ce26-4607-b405-ba1ed8e9e204" +severity = "medium" +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and +event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" +