security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b0f449339d015cd081fcd6539d2aa259e5f527ab
sigma-rules/rules/aws/impact_ec2_disable_ebs_encryption.toml
T
Brent Murphy c64e700c56 [Rule Tuning] Update Cloud Rule Syntax (#1061) 
* update cloud syntax
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
2021-04-14 10:49:28 -04:00

61 lines
2.0 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/06/05"
maturity = "production"
updated_date = "2021/03/22"
[rule]
author = ["Elastic"]
description = """
Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling
encryption by default does not change the encryption status of your existing volumes.
"""
false_positives = [
"""
Disabling encryption may be done by a system or network administrator. Verify whether the user identity, user agent,
and/or hostname should be making changes in your environment. Disabling encryption by unfamiliar users or hosts
should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-60m"
index = ["filebeat-*", "logs-aws*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS EC2 Encryption Disabled"
note = "The AWS Filebeat module must be enabled to use this rule."
references = [
"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html",
"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html",
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html",
]
risk_score = 47
rule_id = "bb9b13b2-1700-48a8-a750-b43b0a72ab69"
severity = "medium"
tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Data Protection"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1565"
name = "Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/"
[[rule.threat.technique.subtechnique]]
id = "T1565.001"
name = "Stored Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/001/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
Reference in New Issue View Git Blame Copy Permalink