[metadata] creation_date = "2020/07/25" integration = ["aws"] maturity = "production" updated_date = "2024/11/07" [rule] author = ["Elastic"] description = """ This rule detects the first time a principal calls AWS Cloudwatch `CreateStack` or `CreateStackSet` API. Cloudformation is used to create a single collection of cloud resources called a stack, via a defined template file. An attacker with the appropriate privileges could leverage Cloudformation to create specific resources needed to further exploit the environment. This is a new terms rule that looks for the first instance of this behavior in the last 10 days for a role or IAM user within a particular account. """ false_positives = [ """ Verify whether the user identity should be using the `CreateStack` or `CreateStackSet` APIs. If known behavior is causing false positives, it can be exempted from the rule. The "history_window_start" value can be modified to reflect the expected frequency of known activity within a particular environment. """, ] from = "now-6m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" name = "First Time AWS Cloudformation Stack Creation by User" references = [ "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-cli-creating-stack.html/", "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html/", "https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html/", "https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStackSet.html/", ] risk_score = 47 rule_id = "0415258b-a7b2-48a6-891a-3367cd9d4d31" severity = "medium" tags = [ "Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: Cloudformation", "Use Case: Asset Visibility", "Tactic: Execution", ] timestamp_override = "event.ingested" type = "new_terms" query = ''' event.dataset:aws.cloudtrail and event.provider:cloudformation.amazonaws.com and event.action: (CreateStack or CreateStackSet) and event.outcome:success ''' [[rule.threat]] framework = "MITRE ATT&CK" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d"