security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4ffdc46ba7ed68ce75bcdb520272c81f2bf64c20
sigma-rules/rules/aws/impact_ec2_disable_ebs_encryption.toml
T
Brent Murphy 01b1e8be26 [Rule Tuning] Update Tags for Cloud Rules (#99) 
* [Rule Tuning] Update Tags for Cloud Rules

* commenting out specifying alphabetical tag order in rule formatter

* Update rule_formatter.py

* py lint

* Lint fix comments

* update modified dates

* Update credential_access_secretsmanager_getsecretvalue.toml

* adding Continuous Monitoring tag

* update tags

* fixed and in tags

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
2020-08-03 17:15:15 -04:00

56 lines
1.8 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/06/05"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
description = """
Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling
encryption by default does not change the encryption status of your existing volumes.
"""
false_positives = [
"""
Disabling encryption may be done by a system or network administrator. Verify whether the user identity, user agent,
and/or hostname should be making changes in your environment. Disabling encryption by unfamiliar users or hosts
should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-60m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "AWS EC2 Encryption Disabled"
note = "The AWS Filebeat module must be enabled to use this rule."
references = [
"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html",
"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html",
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html",
]
risk_score = 47
rule_id = "bb9b13b2-1700-48a8-a750-b43b0a72ab69"
severity = "medium"
tags = ["AWS", "Elastic", "SecOps", "Data Protection", "Continuous Monitoring"]
type = "query"
query = '''
event.action:DisableEbsEncryptionByDefault and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1492"
name = "Stored Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1492/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
Reference in New Issue View Git Blame Copy Permalink