sigma-rules/rules/aws/impact_ec2_disable_ebs_encryption.toml

[metadata]
creation_date = "2020/06/05"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/10/26"

[rule]
author = ["Elastic"]
description = """
Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling
encryption by default does not change the encryption status of your existing volumes.
"""
false_positives = [
    """
    Disabling encryption may be done by a system or network administrator. Verify whether the user identity, user agent,
    and/or hostname should be making changes in your environment. Disabling encryption by unfamiliar users or hosts
    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
]
from = "now-60m"
index = ["filebeat-*", "logs-aws*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "AWS EC2 Encryption Disabled"
note = "The AWS Filebeat module must be enabled to use this rule."
references = [
    "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html",
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html",
    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html",
]
risk_score = 47
rule_id = "bb9b13b2-1700-48a8-a750-b43b0a72ab69"
severity = "medium"
tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Data Protection"]
type = "query"

query = '''
event.action:DisableEbsEncryptionByDefault and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1492"
name = "Stored Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1492/"


[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"