sigma-rules/rules/aws/impact_cloudtrail_logging_updated.toml

[metadata]
creation_date = "2020/06/10"
maturity = "production"
updated_date = "2020/10/26"

[rule]
author = ["Elastic"]
description = "Identifies an update to an AWS log trail setting that specifies the delivery of log files."
false_positives = [
    """
    Trail updates may be made by a system or network administrator. Verify whether the user identity, user agent, and/or
    hostname should be making changes in your environment. Trail updates from unfamiliar users or hosts should be
    investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
]
from = "now-60m"
index = ["filebeat-*", "logs-aws*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "AWS CloudTrail Log Updated"
note = "The AWS Filebeat module must be enabled to use this rule."
references = [
    "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html",
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html",
]
risk_score = 21
rule_id = "3e002465-876f-4f04-b016-84ef48ce7e5d"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"]
type = "query"

query = '''
event.action:UpdateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1492"
name = "Stored Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1492/"


[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1530"
name = "Data from Cloud Storage Object"
reference = "https://attack.mitre.org/techniques/T1530/"


[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"