diff --git a/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml b/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml new file mode 100644 index 000000000..17d745b7c --- /dev/null +++ b/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml @@ -0,0 +1,63 @@ +[metadata] +creation_date = "2020/07/25" +integration = ["aws"] +maturity = "production" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/07/31" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the first time a principal calls AWS Cloudwatch `CreateStack` or `CreateStackSet` API. Cloudformation is used to create a single collection of cloud resources called a stack, via a defined template file. An attacker with the appropriate privileges could leverage Cloudformation to create specific resources needed to further exploit the environment. This is a new terms rule that looks for the first instance of this behavior in the last 10 days for a role or IAM user within a particular account. +""" +false_positives = [ + """ + Verify whether the user identity should be using the `CreateStack` or `CreateStackSet` APIs. If known behavior is causing false positives, it can be exempted from the rule. The "history_window_start" value can be modified to reflect the expected frequency of known activity within a particular environment. + """, +] +from = "now-6m" +index = ["filebeat-*", "logs-aws.cloudtrail-*"] +language = "kuery" +license = "Elastic License v2" +name = "First Time AWS Cloudformation Stack Creation by User" +references = [ + "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-cli-creating-stack.html/", + "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html/", + "https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html/", + "https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStackSet.html/", +] +risk_score = 47 +rule_id = "0415258b-a7b2-48a6-891a-3367cd9d4d31" +severity = "medium" +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: Cloudformation", + "Use Case: Asset Visibility", + "Tactic: Execution", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset:aws.cloudtrail and event.provider:cloudformation.amazonaws.com and + event.action: (CreateStack or CreateStackSet) and event.outcome:success +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["cloud.account.id","user.name"] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-10d" +