shashank-elastic
72 lines
2.2 KiB
TOML
72 lines
2.2 KiB
TOML
[metadata]
|
|
bypass_bbr_timing = true
|
|
creation_date = "2024/04/20"
|
|
integration = ["aws"]
|
|
maturity = "production"
|
|
updated_date = "2024/09/01"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
building_block_type = "default"
|
|
description = """
|
|
Identifies when an AWS Lambda function is created or updated. AWS Lambda lets you run code without provisioning or
|
|
managing servers. Adversaries can create or update Lambda functions to execute malicious code, exfiltrate data, or
|
|
escalate privileges. This is a [building block
|
|
rule](https://www.elastic.co/guide/en/security/current/building-block-rule.html) that does not generate alerts, but
|
|
signals when a Lambda function is created or updated that matches the rule's conditions. To generate alerts, create a
|
|
rule that uses this signal as a building block.
|
|
"""
|
|
false_positives = [
|
|
"""
|
|
Legitimate changes to Lambda functions can trigger this signal. Ensure that the changes are authorized and align
|
|
with your organization's policies.
|
|
""",
|
|
]
|
|
from = "now-60m"
|
|
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
|
|
interval = "10m"
|
|
language = "kuery"
|
|
license = "Elastic License v2"
|
|
name = "AWS Lambda Function Created or Updated"
|
|
references = [
|
|
"https://mattslifebytes.com/2023/04/14/from-rebuilds-to-reloads-hacking-aws-lambda-to-enable-instant-code-updates/",
|
|
"https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-overwrite-code/",
|
|
"https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionCode.html",
|
|
]
|
|
risk_score = 21
|
|
rule_id = "1251b98a-ff45-11ee-89a1-f661ea17fbce"
|
|
severity = "low"
|
|
tags = [
|
|
"Domain: Cloud",
|
|
"Data Source: AWS",
|
|
"Data Source: Amazon Web Services",
|
|
"Data Source: AWS Lambda",
|
|
"Use Case: Asset Visibility",
|
|
"Tactic: Execution",
|
|
"Rule Type: BBR"
|
|
]
|
|
timestamp_override = "event.ingested"
|
|
type = "query"
|
|
|
|
query = '''
|
|
event.dataset: "aws.cloudtrail"
|
|
and event.provider: "lambda.amazonaws.com"
|
|
and event.outcome: "success"
|
|
and event.action: (CreateFunction* or UpdateFunctionCode*)
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1648"
|
|
name = "Serverless Execution"
|
|
reference = "https://attack.mitre.org/techniques/T1648/"
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0002"
|
|
name = "Execution"
|
|
reference = "https://attack.mitre.org/tactics/TA0002/"
|
|
|