security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1ce072a4e58238d94deae33ff8de25458ac129d5
sigma-rules/hunting/aws/queries/secretsmanager_high_frequency_get_secret_value.toml
T
Terrance DeJesus ba58a1e7cc [New Hunt] Add AWS Hunting Queries to Shared Hunting Library (#3988) 
* new hunt queries for aws

* sendcommand and getuserpassword queries

* s3 bucket access and secrets manager requests added

* ssm start session and service logging deleted added

* adding federated authentication queries

* added ec2 modify instance attribute query

* adding backdoor role creation query

* 2 new queries for discovery; added lookback windows

* added new hunting query for IAM activity with no MFA session

* added missing time windows

* adding new query for lambda add permissions

* adjusted query format

* added new query for ec2 instance deployment anomalies

* updated queries based on feedback; regenerated docs

* fixed queries

* removed new rule
2024-09-04 10:08:44 -04:00

30 lines
2.1 KiB
TOML
Raw Blame History

[hunt]
author = "Elastic"
description = """
This hunting query identifies when a high frequency of `GetSecretValue` API calls are made to the AWS Secrets Manager service programmatically. The `GetSecretValue` API call retrieves the secret value for a specified secret. High frequency of these calls may indicate an adversary attempting to access sensitive information stored in AWS Secrets Manager via a compromised account or automated tooling.
"""
integration = ["aws.cloudtrail"]
uuid = "ef244ca0-5e32-11ef-a8d3-f661ea17fbce"
name = "Secrets Manager High Frequency of Programmatic GetSecretValue API Calls"
language = ["ES|QL"]
license = "Elastic License v2"
notes = [
"Use the `secret_value` field to identify the secret value that was accessed by adding it to the `stats` statement",
"Review the `aws.cloudtrail.user_identity*` fields to identify the user making the requests and their role permissions",
"`user_agent.name` field can provide additional context on the tool or application making the API calls. If not `aws-sdk` or known application, investigate further.",
"Review the `source.*` fields for the IP address and geographical location of the request and compare with the user's typical behavior",
"The `aws.cloudtrail.user_identity.arn` field can provide additional context on the user making the request and their role permissions. Recent changes to role permissions or unusual logins may indicate a compromised account",
"`user_agent.name` field can provide additional context on the tool or application making the API calls. If not `aws-sdk` or known application, investigate further."
]
mitre = ["T1555.006"]
query = ['''
from logs-aws.cloudtrail*
| where @timestamp > now() - 7 day
| where
event.provider == "secretsmanager.amazonaws.com"
and event.action == "GetSecretValue"
and user_agent.name not in ("Chrome","Firefox","Safari", "Edge", "Brave", "Opera")
| dissect aws.cloudtrail.request_parameters "%{}secret:%{secret_value}}"
| stats request_counts = count(*) by event.action, aws.cloudtrail.user_identity.arn, source.ip, user_agent.name
| sort request_counts asc
''']
Reference in New Issue View Git Blame Copy Permalink