[Rule Tunings] AWS EC2 Flow Log Deletion and Network ACL Activity

[imays11]

Pull Request

Issue link(s):

• https://github.com/elastic/ia-trade-team/issues/616

Summary - What I changed

"AWS VPC Flow Logs Deletion"
Rule Triggers as expected
Telemetry looks fine

• changed time window
• added AWS EC2 tag
• Added highlighted fields
• updated Mitre technique

---

"AWS EC2 Network Access Control List Deletion"
Rule Triggers as expected
Telemetry looks fine

• changed time window
• added AWS EC2 tag
• Added highlighted fields
• updated Mitre technique

---

"AWS EC2 Network Access Control List Creation"
Rule Triggers as expected
Telemetry looks fine

• changed time window
• Added highlighted fields
• added Defense Evasion Mitre technique and tag
• I Considered removing event.action: CreateNetworkAclEntry so this rule would only trigger for new ACL creation rather than new entries in an existing ACL. This would reduce some noise but I don't think it outweighs the benefit of capturing attackers who may add permissive rules to existing ACLs. Better to let users investigate this on their own and add exclusions for frequently modified ACLs.

How To Test

I have scripts available and linked with each rule below. You can run the script with Python and an AWS credentials profile or use the manual commands below if you already have the necessary infrastructure setup.

To trigger rules manually:
"AWS VPC Flow Logs Deletion" (execution script)

aws ec2 delete-flow-logs --flow-log-id <flow log id>

"AWS EC2 Network Access Control List Creation" (execution script)

# use within an existing VPC or create a new VPC first
aws ec2 create-network-acl --vpc-id <vpc-id>
OR
# add a rule to an existing ACL
aws ec2 create-network-acl-entry --network-acl-id <acl-id> --ingress --rule-number 100 --protocol udp --port-range From=53,To=53 --cidr-block 0.0.0.0/0 --rule-action allow

"AWS EC2 Network Access Control List Deletion" (execution script)

# use within an existing VPC or create a new VPC first and add an ACL to delete
aws ec2 delete-network-acl --network-acl-id <acl-id>
OR
# delete a rule from an existing ACL (specify whether it's an ingress or egress rule)
aws ec2 delete-network-acl-entry --network-acl-id <acl-id> --ingress | --egress --rule-number <#>

[github-actions]

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

• Detailed description of the suggested changes.
• Provide example JSON data or screenshots.
• Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
• Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
• Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
• Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
• Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
• Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
• Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
• Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
• Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
• Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

• updated_date matches the date of tuning PR merged.
• min_stack_version should support the widest stack versions.
• name and description should be descriptive and not include typos.
• query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

• Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
• Ensure that the tuned rule has a low false positive rate.

[terrancedejesus]

Very nice. I agree to include new entries as adversaries may take the path of least resistance and a new ACL is more attention to their activity than adding a new entry or even adjusting one.