From fe14cd23eda0fdf7ff3f7a287482dc7f8a9d978e Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Tue, 22 Jun 2021 19:09:15 -0500 Subject: [PATCH] [New Rule] AWS RDS Security Group Deleted (#1261) Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy --- rules/aws/impact_rds_group_deletion.toml | 51 ++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 rules/aws/impact_rds_group_deletion.toml diff --git a/rules/aws/impact_rds_group_deletion.toml b/rules/aws/impact_rds_group_deletion.toml new file mode 100644 index 000000000..f12a4897f --- /dev/null +++ b/rules/aws/impact_rds_group_deletion.toml @@ -0,0 +1,51 @@ +[metadata] +creation_date = "2021/06/05" +maturity = "production" +updated_date = "2021/06/05" + +[rule] +author = ["Elastic", "Austin Songer"] +description = "Identifies the deletion of an Amazon Relational Database Service (RDS) Security Group." +false_positives = [ + """ + A RDS security group deletion may be done by a system or network administrator. Verify whether the user identity, + user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar + users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the + rule. + """, +] +from = "now-60m" +index = ["filebeat-*", "logs-aws*"] +interval = "10m" +language = "kuery" +license = "Elastic License v2" +name = "AWS RDS Security Group Deletion" +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSecurityGroup.html"] +risk_score = 21 +rule_id = "863cdf31-7fd3-41cf-a185-681237ea277b" +severity = "low" +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" +