diff --git a/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml index 0ca0106e1..4524daa35 100644 --- a/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml +++ b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2025/12/16" [rule] author = ["Nick Jones", "Elastic"] @@ -51,7 +51,7 @@ This rule looks for the retrieval of credentials from Secrets Manager using `Get ### False positive analysis -- Review `entity.id` values for expected combinations of identity and secret value access. If this is an expected behavior, consider adding exceptions to the rule. +- Review `actor.entity.id` and `target.entity.id` values for expected combinations of identity and secret value access. If this is an expected behavior, consider adding exceptions to the rule. - False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions — preferably with a combination of user agent and IP address conditions. ### Response and remediation diff --git a/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml b/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml index 506c4ecdf..aabb31b6d 100644 --- a/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml +++ b/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/12" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2025/12/16" [rule] author = ["Elastic"] @@ -94,6 +94,7 @@ field_names = [ "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index f762db3aa..bd7b5bb2f 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ AWS CloudTrail is a service that enables governance, compliance, and operational #### Possible investigation steps - **Actor & target** - Identify `aws.cloudtrail.user_identity.arn`, `user_agent.original`, `source.ip`. - - Confirm which trail was deleted (name/ARN, multi-region/organization status) from `aws.cloudtrail.request_parameters`. + - Confirm which trail was deleted (name/ARN, multi-region/organization status) from `aws.cloudtrail.request_parameters` or `target.entity.id`. - **Blast radius** - Determine whether it was the only trail or if organization/multi-region coverage remains. - Review preceding `StopLogging` or `UpdateTrail` and subsequent high-risk actions (IAM, S3, KMS, EC2 exports). @@ -107,6 +107,7 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_evasion.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_evasion.toml index 80e7f6407..72e57e622 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_evasion.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_evasion.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/10" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2025/06/10" [rule] author = ["Elastic"] @@ -36,8 +36,8 @@ Amazon CloudTrail is a service that enables governance, compliance, operational - Do they look normal for the user? - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control? - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? -- Examine the newly created or modified policy. -- If no policy name is included for event.actions like `PutRolePolicy`, analyze the inline policies attached for unexpected permission changes or additions. +- Examine the newly created or modified policy highlighted in `target.entity.id`. +- If no policy name is included for event.actions like `PutRolePolicy`, analyze the inline policies attached to the `actor.entity.id` for unexpected permission changes or additions. - If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours. ### False positive analysis @@ -99,6 +99,7 @@ field_names = [ "aws.cloudtrail.user_identity.access_key_id", "event.action", "event.outcome", + "target.entity.id", "cloud.account.id", "cloud.region", "aws.cloudtrail.request_parameters", diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml index b81501f12..19a1700b0 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ AWS CloudTrail is a service that enables governance, compliance, and operational #### Possible investigation steps - **Actor & scope** - Identify `aws.cloudtrail.user_identity.arn`, `user_agent.original`, `source.ip`. - - Determine which trail stopped and whether it’s multi-region or organization-wide. + - Determine which trail stopped (`target.entity.id`) and whether it’s multi-region or organization-wide. - **Timing and impact** - When did logging stop and resume (if at all)? Are there overlapping detections indicating activity during the gap? - **Correlate activity** @@ -108,6 +108,7 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml index 3dedaf38d..a59d032da 100644 --- a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/15" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -43,7 +43,7 @@ This rule detects successful calls to the `DeleteAlarms` API via CloudTrail. The - Check whether this actor typically performs CloudWatch management or automation tasks. - **Review request details** - - Inspect `aws.cloudtrail.request_parameters` for the specific alarm names deleted. + - Inspect `aws.cloudtrail.request_parameters` or `target.entity.id` for the specific alarm names deleted. - Determine whether the alarms were security-related (e.g., CloudTrail log delivery, GuardDuty finding rate, or IAM API monitoring alarms). - Cross-reference deleted alarms with your organization's list of critical monitoring configurations. @@ -160,6 +160,7 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml index 41c5766b5..5d3c8b9b0 100644 --- a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/16" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -139,6 +139,7 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml index b479a2dae..27ff1add1 100644 --- a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/28" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -139,6 +139,7 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/defense_evasion_rds_instance_restored.toml b/rules/integrations/aws/defense_evasion_rds_instance_restored.toml index 5c526fa7a..4a871a745 100644 --- a/rules/integrations/aws/defense_evasion_rds_instance_restored.toml +++ b/rules/integrations/aws/defense_evasion_rds_instance_restored.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/29" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/01/16" [rule] author = ["Austin Songer", "Elastic"] @@ -183,6 +183,7 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml b/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml index b4817233c..624bc2957 100644 --- a/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml +++ b/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/12" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -143,6 +143,7 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml index 237ed1e08..1c83e963b 100644 --- a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -185,6 +185,7 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index e953ed3d6..a6e6fa7bf 100644 --- a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/09" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -164,6 +164,7 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml b/rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml index 1e709bd38..eaa5dcfbc 100644 --- a/rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml +++ b/rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/16" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -143,6 +143,7 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml index a0aa65612..3b4abe9e0 100644 --- a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml +++ b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/01/16" [rule] author = ["Elastic", "Austin Songer"] @@ -171,6 +171,7 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml b/rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml index 85e24f146..4d0007470 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/25" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -164,6 +164,7 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml b/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml index a29a22b0c..f5f8e9d80 100644 --- a/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml +++ b/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/12" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2025/12/04" [rule] author = ["Elastic"] @@ -170,6 +170,7 @@ field_names = [ "aws.cloudtrail.user_identity.access_key_id", "aws.cloudtrail.resources.arn", "aws.cloudtrail.resources.type", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml b/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml index 465364b28..e3eda01f1 100644 --- a/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml +++ b/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/01" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2025/12/16" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui- - **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` field to identify the user who requested the subscription. Verify if this actor typically performs such actions and has the necessary permissions. It may be unusual for this activity to originate from certain user types, such as an assumed role or federated user. - **Review the SNS Subscription Event**: Analyze the specifics of the `Subscribe` action in CloudTrail logs: - - **Topic**: Look at the `aws.cloudtrail.request_parameters` field to identify the SNS topic involved in the subscription. + - **Topic**: Look at the `aws.cloudtrail.request_parameters` or `target.entity.id` field to identify the SNS topic involved in the subscription. - **Protocol and Endpoint**: Review the `aws.cloudtrail.request_parameters` field to confirm the subscription's protocol and endpoint, if available. Confirm if this endpoint is associated with a known or trusted entity. - **Subscription Status**: Check the `aws.cloudtrail.response_elements` field for the subscription's current status, noting if it requires confirmation. - **Verify Authorization**: Evaluate whether the user typically engages in SNS subscription actions and if they are authorized to do so for the specified topic. diff --git a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml index 1f6a8dd5d..ba258d59d 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/18" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -49,7 +49,7 @@ Adversaries may leverage `DeleteLogGroup` to impair forensic visibility, disrupt - Determine whether this identity normally modifies CloudWatch Logs or is associated with automation. **Review deletion details** -- Inspect `aws.cloudtrail.request_parameters` to determine the exact log group deleted. +- Inspect `aws.cloudtrail.request_parameters` or `target.entity.id` to determine the exact log group deleted. - Assess whether the log group provided visibility into: - CloudTrail processing, - Network flows (VPC Flow Logs), @@ -188,6 +188,7 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml index 6312cf48c..2ea4f8619 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -175,6 +175,7 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml b/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml index 1221591ba..d63df0a70 100644 --- a/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml +++ b/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/02" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -141,6 +141,7 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/impact_efs_filesystem_deleted.toml b/rules/integrations/aws/impact_efs_filesystem_deleted.toml index b8cf69060..d9c4d4a93 100644 --- a/rules/integrations/aws/impact_efs_filesystem_deleted.toml +++ b/rules/integrations/aws/impact_efs_filesystem_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/27" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/01/16" [rule] author = ["Austin Songer", "Elastic"] @@ -161,6 +161,7 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml index 2a685166c..3f73d82d6 100644 --- a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/01/16" [rule] author = ["Elastic", "Austin Songer"] @@ -153,6 +153,7 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml index cfabd72e5..4508e3a36 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -41,7 +41,7 @@ This rule detects the deletion of an RDS DB instance, Aurora DB cluster, or glob **Review the Deletion Event** - Confirm which action was invoked: `DeleteDBInstance`, `DeleteDBCluster` or `DeleteGlobalCluster` -- Examine `aws.cloudtrail.request_parameters`. Identify which resource was deleted and whether a final snapshot was created before deletion. +- Examine `aws.cloudtrail.request_parameters` and `target.entity.id`. Identify which resource was deleted and whether a final snapshot was created before deletion. **Analyze Source and Access Context** - Check `source.ip`, `source.geo` fields and `user_agent.original` @@ -65,7 +65,7 @@ Search CloudTrail for: - Contact the service owner or DB administrator to confirm whether the deletion is expected. **Assess Impact and Data Recovery Path** -- Identify which DB instance or cluster was deleted +- Identify which DB instance or cluster was deleted (`target.entity.id`) - Evaluate: - Whether automated backups existed. - Whether point-in-time recovery is still possible. @@ -176,6 +176,7 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml index d12ddb1dc..6eb2d35a0 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/28" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ Deletion protection is designed to safeguard RDS DB instances and clusters from - Validate whether this principal normally performs RDS lifecycle operations. - **Review Event Details** - - Inspect `aws.cloudtrail.request_parameters` to confirm the targeted DB instance or cluster identifier. + - Inspect `aws.cloudtrail.request_parameters` or `target.entity.id` to confirm the targeted DB instance or cluster identifier. - Confirm that the request explicitly contains `deletionProtection=false`. - **Contextualize the Change** @@ -144,6 +144,7 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml b/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml index 7a3ec1d85..fdbb0ee8f 100644 --- a/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml +++ b/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2025/09/05" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ This rule detects when a new SSH public key is uploaded to an AWS EC2 instance u #### Possible Investigation Steps: - **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions. -- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the SSH public key upload. Look for any unusual parameters that could suggest unauthorized or malicious modifications. Determine the targeted EC2 instance. +- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the SSH public key upload. Look for any unusual parameters that could suggest unauthorized or malicious modifications. Use the `target.entity.id` field to determine the targeted EC2 instance. - **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access. - **Contextualize with Timestamp**: Use the `@timestamp` field to check when the SSH public key was uploaded. Changes during non-business hours or outside regular maintenance windows might require further scrutiny. - **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities. diff --git a/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml b/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml index 61a70e9d1..4c23e38b2 100644 --- a/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml +++ b/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/20" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -154,6 +154,7 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml b/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml index 0e89738a8..793fc2111 100644 --- a/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml +++ b/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -133,6 +133,7 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml b/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml index 941d53cba..b814abf8d 100644 --- a/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml +++ b/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/27" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -175,6 +175,7 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/persistence_rds_instance_made_public.toml b/rules/integrations/aws/persistence_rds_instance_made_public.toml index cac81e06d..1ad7457ad 100644 --- a/rules/integrations/aws/persistence_rds_instance_made_public.toml +++ b/rules/integrations/aws/persistence_rds_instance_made_public.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/29" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/01/16" [rule] author = ["Elastic"] @@ -47,7 +47,7 @@ establish persistence, or bypass internal network restrictions. - Additional changes included in the same modification request (e.g., master user changes, security group updates) - **Validate the target resource** - - Determine the sensitivity of the instance: + - Determine the sensitivity of the instance (`target.entity.id`): - What data does it store? - Is it production, staging, dev, or ephemeral? - Confirm whether the instance was previously private. @@ -176,6 +176,7 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml index cabac631f..fe21eb457 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/10" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/01/16" [rule] author = ["Elastic", "Austin Songer"] @@ -164,6 +164,7 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", diff --git a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml index b184b7cad..39f51c42b 100644 --- a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml +++ b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2025/12/16" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ unauthorized user. Customer-managed policies are policies created and controlled specific permissions to roles or users when attached. This rule identifies potential privilege escalation by flagging cases where a customer-managed policy is attached to a role by an unexpected actor, which could signal unauthorized access or misuse. Attackers may attach policies to roles to expand permissions and elevate their privileges within the -AWS environment. This is a New Terms rule that uses the "cloud.account.id", "user.name" and "entity.target.id" fields to +AWS environment. This is a New Terms rule that uses the "cloud.account.id", "user.name" and "target.entity.id" fields to check if the combination of the actor identity and target role name has not been seen before. """ false_positives = [ @@ -37,7 +37,7 @@ This rule detects when a customer-managed IAM policy is attached to a role by an - **Identify the Initiating User and Target Role**: - **User Identity**: Examine the `aws.cloudtrail.user_identity.arn` field to determine the user who initiated the policy attachment. Confirm if this user typically has permissions to modify IAM roles and if their activity is consistent with their usual responsibilities. - - **Target Role**: Review `entity.target.id` to identify the role to which the policy was attached. Assess whether modifying this role is expected for this user or if this action is unusual in your environment. + - **Target Role**: Review `target.entity.id` to identify the role to which the policy was attached. Assess whether modifying this role is expected for this user or if this action is unusual in your environment. - **Analyze the Attached Policy**: - **Policy ARN**: Inspect the `aws.cloudtrail.request_parameters` field to identify the specific customer-managed policy attached to the role. Evaluate if this policy grants sensitive permissions, especially permissions that could enable privileged actions or data access. @@ -122,7 +122,7 @@ field_names = [ "source.ip", "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", - "entity.target.id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", @@ -132,7 +132,7 @@ field_names = [ [rule.new_terms] field = "new_terms_fields" -value = ["cloud.account.id", "user.name", "entity.target.id"] +value = ["cloud.account.id", "user.name", "target.entity.id"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" diff --git a/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml b/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml index c8140d5c9..44fd3f248 100644 --- a/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml +++ b/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2025/12/16" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies AWS CloudTrail events where an IAM role's trust policy has been updated by an IAM user or Assumed Role identity. The trust policy is a JSON document that defines which principals are allowed to assume the role. An attacker may attempt to modify this policy to gain the privileges of the role. This is a New Terms rule, which means it will only -trigger once for each unique combination of the "cloud.account.id", "user.name" and "entity.target.id" fields, that have +trigger once for each unique combination of the "cloud.account.id", "user.name" and "target.entity.id" fields, that have not been seen making this API request. """ false_positives = [ @@ -36,7 +36,7 @@ The role trust policy is a JSON document in which you define the principals you - Review the `aws.cloudtrail.user_identity.arn` to determine the IAM User that performed the action. - If an AssumedRole identity type performed the action review the `aws.cloudtrail.user_identity.session_context.session_issuer.arn` field to determine which role was used. -- Review the `entity.target.id` field to confirm the role that was updated. +- Review the `target.entity.id` field to confirm the role that was updated. - Within the `aws.cloudtrail.request_parameters` field, review the `policyDocument` to understand the changes made to the trust policy. - If `aws.cloudtrail.user_identity.access_key_id` is present, investigate the access key used to perform the action as it may be compromised. - Identify the user account that performed the action and whether it should perform this kind of action. @@ -119,7 +119,7 @@ field_names = [ "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.access_key_id", - "entity.target.id", + "target.entity.id", "event.action", "event.outcome", "cloud.account.id", @@ -129,7 +129,7 @@ field_names = [ [rule.new_terms] field = "new_terms_fields" -value = ["cloud.account.id", "user.name", "entity.target.id"] +value = ["cloud.account.id", "user.name", "target.entity.id"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d"