From f41714642c8fccdef486446a94ba4e4cd06873a3 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 4 Oct 2021 13:38:37 -0500 Subject: [PATCH] [New Rule] AWS ElastiCache Security Group Modified or Deleted (#1364) * Create impact_aws_elasticache_security_group_modified_or_deleted.toml * Rename impact_aws_elasticache_security_group_modified_or_deleted.toml to impact_elasticache_security_group_modified_or_deleted.toml * Update impact_elasticache_security_group_modified_or_deleted.toml * Update * Update rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml Co-authored-by: Jonhnathan * Update impact_elasticache_security_group_modified_or_deleted.toml * Update impact_elasticache_security_group_modified_or_deleted.toml * Rename impact_elasticache_security_group_modified_or_deleted.toml to defense_evasion_elasticache_security_group_modified_or_deleted.toml Co-authored-by: Jonhnathan Co-authored-by: Justin Ibarra --- ...he_security_group_modified_or_deleted.toml | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml new file mode 100644 index 000000000..8005260fc --- /dev/null +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml @@ -0,0 +1,57 @@ +[metadata] +creation_date = "2021/07/19" +maturity = "production" +updated_date = "2021/10/01" +integration = "aws" + +[rule] +author = ["Austin Songer"] +description = "Identifies when an ElastiCache security group has been modified or deleted." +false_positives = [ + """ + A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, + user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar + users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the + rule. + """, +] +from = "now-60m" +index = ["filebeat-*", "logs-aws*"] +interval = "10m" +language = "kuery" +license = "Elastic License v2" +name = "AWS ElastiCache Security Group Modified or Deleted" +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +references = ["https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/Welcome.html"] +risk_score = 21 +rule_id = "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516" +severity = "low" +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or +"Authorize Cache Security Group Ingress" or "Revoke Cache Security Group Ingress" or "AuthorizeCacheSecurityGroupEgress" or +"RevokeCacheSecurityGroupEgress") and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + + [[rule.threat.technique.subtechnique]] + id = "T1562.007" + name = "Disable or Modify Cloud Firewall" + reference = "https://attack.mitre.org/techniques/T1562/007/" + +[rule.threat.tactic] +name = "Defense Evasion" +id = "TA0005" +reference = "https://attack.mitre.org/tactics/TA0005/"