sigma-rules/rules/aws/persistence_iam_group_creation.toml

[metadata]
creation_date = "2020/06/05"
maturity = "production"
updated_date = "2021/03/03"

[rule]
author = ["Elastic"]
description = """
Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple
users. Any user in a group automatically has the permissions that are assigned to the group.
"""
false_positives = [
    """
    A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or
    hostname should be making changes in your environment. Group creations from unfamiliar users or hosts should be
    investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
]
from = "now-60m"
index = ["filebeat-*", "logs-aws*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS IAM Group Creation"
note = "The AWS Filebeat module must be enabled to use this rule."
references = [
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html",
    "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html",
]
risk_score = 21
rule_id = "169f3a93-efc7-4df2-94d6-0d9438c310d1"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.action:CreateGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1136"
name = "Create Account"
reference = "https://attack.mitre.org/techniques/T1136/"
[[rule.threat.technique.subtechnique]]
id = "T1136.003"
name = "Cloud Account"
reference = "https://attack.mitre.org/techniques/T1136/003/"



[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"