security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dfef597794d4daf07eb4e8ebccd78bb64db930d4
sigma-rules/rules/integrations/aws/persistence_route_table_created.toml
T
Terrance DeJesus e8c39d19a7 [Rule Tuning] Missing MITRE ATT&CK Mappings (#2073) 
* initial commit with eggshell mitre mapping added

* adding updated rules

* [Rule Tuning] MITRE for GCP rules

I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic.

* [Rule Tuning] Endgame Rule name updates for Mitre

Updated Endgame rule names for those with Mitre tactics to match the tactics.

* Update rules/integrations/aws/persistence_redshift_instance_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* adding 10 updated rules for google_workspace, ml and o365

* adding 22 rule updates for mitre att&ck mappings

* adding 24 rule updates related mainly to ML rules

* adding 3 rules related to detection via ML

* adding adjustments

* adding adjustments with solutions to recent pytest errors

* removed tabs from tags

* adjusted mappings and added techniques

* adjusted endgame rule mappings per review

* adjusted names to match different tactics

* added execution and defense evasion tag

* adjustments to address errors from merging with main

* added newlines to rules missing them at the end of the file

Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
2022-07-22 14:30:34 -04:00

52 lines
1.8 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2021/06/05"
maturity = "production"
updated_date = "2022/07/05"
integration = "aws"
[rule]
author = ["Elastic", "Austin Songer"]
description = "Identifies when an AWS Route Table has been created."
false_positives = [
"""
Route Tables may be created by a system or network administrators. Verify whether the user identity, user
agent, and/or hostname should be making changes in your environment. Route Table creation by unfamiliar users or
hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
Automated processes that use Terraform may lead to false positives.
""",
]
from = "now-60m"
index = ["filebeat-*", "logs-aws*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS Route Table Created"
note = """## Setup
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/",
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html",
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable",
]
risk_score = 21
rule_id = "e12c0318-99b1-44f2-830c-3a38a43207ca"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security", "Persistence"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and
event.outcome:success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
reference = "https://attack.mitre.org/tactics/TA0003/"
name = "Persistence"
id = "TA0003"
Reference in New Issue View Git Blame Copy Permalink