sigma-rules/rules/aws/collection_cloudtrail_logging_created.toml

[metadata]
creation_date = "2020/06/10"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/10/26"

[rule]
author = ["Elastic"]
description = "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data."
false_positives = [
    """
    Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent,
    and/or hostname should be making changes in your environment. Trail creations from unfamiliar users or hosts should
    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
]
from = "now-60m"
index = ["filebeat-*", "logs-aws*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "AWS CloudTrail Log Created"
note = "The AWS Filebeat module must be enabled to use this rule."
references = [
    "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html",
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html",
]
risk_score = 21
rule_id = "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"]
type = "query"

query = '''
event.action:CreateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1530"
name = "Data from Cloud Storage Object"
reference = "https://attack.mitre.org/techniques/T1530/"


[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"