security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b13c369dab1d4c71fef07871eb60104a335cb0df
sigma-rules/rules/integrations/aws/initial_access_console_login_root.toml
T
Ross Wolf b13c369dab [Fleet] Track integrations in folder and metadata (#1372) 
* Track integrations in folder and metadata
* Remove duplicate entry
* Update note and tests

Removed changes from:
- rules/cyberark/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml
- rules/cyberark/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml

(selectively cherry picked from commit 1882f4456c)
2021-07-21 21:25:22 +00:00

65 lines
2.0 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/06/11"
maturity = "production"
updated_date = "2021/07/20"
integration = "aws"
[rule]
author = ["Elastic"]
description = "Identifies a successful login to the AWS Management Console by the Root user."
false_positives = [
"""
It's strongly recommended that the root user is not used for everyday tasks, including the administrative ones.
Verify whether the IP address, location, and/or hostname should be logging in as root in your environment.
Unfamiliar root logins should be investigated immediately. If known behavior is causing false positives, it can be
exempted from the rule.
""",
]
from = "now-60m"
index = ["filebeat-*", "logs-aws*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS Management Console Root Login"
note = """## Config
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"]
risk_score = 73
rule_id = "e2a67480-3b79-403d-96e3-fdd2992c50ef"
severity = "high"
tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink