From e170935f1fef3350c76d8a4099e46f1ed44effa2 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 12 Aug 2021 14:36:50 -0500 Subject: [PATCH] [New Rule] AWS EC2 Security Group Configuration Change Detection (#1144) (cherry picked from commit 67ba66c8e7ebfc93a9922349740d899c80a59ac6) --- ..._group_configuration_change_detection.toml | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 rules/aws/persistence_ec2_security_group_configuration_change_detection.toml diff --git a/rules/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/aws/persistence_ec2_security_group_configuration_change_detection.toml new file mode 100644 index 000000000..da0f4d780 --- /dev/null +++ b/rules/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -0,0 +1,57 @@ +[metadata] +creation_date = "2021/05/05" +maturity = "production" +updated_date = "2021/05/05" + +[rule] +author = ["Elastic", "Austin Songer"] +description = """ +Identifies a change to an AWS Security Group Configuration. A security group is like a virtul firewall and modifying +configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or +pivot in a AWS environment. +""" +false_positives = [ + """ + A security group may be created by a system or network administrator. Verify whether the user identity, user + agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users + or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-30m" +index = ["filebeat-*", "logs-aws*"] +interval = "10m" +language = "kuery" +license = "Elastic License v2" +name = "AWS Security Group Configuration Change Detection" +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +references = ["https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html"] +risk_score = 21 +rule_id = "29052c19-ff3e-42fd-8363-7be14d7c5469" +severity = "low" +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or +CreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or +RevokeSecurityGroupIngress) and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Persistence" +id = "TA0003" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Defense Evasion" +id = "TA0005" +reference = "https://attack.mitre.org/tactics/TA0005/"