From dc980effb0ec579b2e324ce7b244838fb72cbd04 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 15 Oct 2021 14:05:00 -0500 Subject: [PATCH] [New Rule] AWS RDS Snapshot Restored (#1312) * Create exfiltration_rds_snapshot_restored.toml * Update exfiltration_rds_snapshot_restored.toml * Delete exfiltration_rds_snapshot_restored.toml * Create exfiltration_rds_snapshot_restored.toml * Update * Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml Co-authored-by: Jonhnathan * Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml Co-authored-by: Jonhnathan * Update exfiltration_rds_snapshot_restored.toml * Update exfiltration_rds_snapshot_restored.toml Co-authored-by: Justin Ibarra Co-authored-by: Jonhnathan --- .../exfiltration_rds_snapshot_restored.toml | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 rules/integrations/aws/exfiltration_rds_snapshot_restored.toml diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml new file mode 100644 index 000000000..b2c6791de --- /dev/null +++ b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2021/06/29" +maturity = "production" +updated_date = "2021/10/15" +integration = "aws" + +[rule] +author = ["Austin Songer"] +description = """ +Identifies when an attempt was made to restored RDS Snapshot. Snapshots are sometimes shared by threat actors in order to +exfiltrate bulk data. If the permissions were modified, verify if the snapshot was shared with an +unauthorized or unexpected AWS account. +""" +false_positives = [ + """ + Restoring snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, + and/or hostname should be making changes in your environment. Snapshot restoration from unfamiliar users or hosts should + be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +index = ["filebeat-*", "logs-aws*"] +language = "kuery" +license = "Elastic License v2" +name = "AWS RDS Snapshot Restored" +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +references = [ + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html", + "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py", +] +risk_score = 47 +rule_id = "bf1073bf-ce26-4607-b405-ba1ed8e9e204" +severity = "medium" +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and +event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" +