diff --git a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml index 3c803b5f4e9..a613f426071 100644 --- a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -2,13 +2,12 @@ creation_date = "2020/06/15" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2025/06/05" [rule] author = ["Elastic"] description = """ -Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs -in an attempt to evade defenses. +Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses. """ false_positives = [ """ @@ -17,9 +16,9 @@ false_positives = [ be exempted from the rule. """, ] -from = "now-60m" +from = "now-6m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] -interval = "10m" +interval = "5m" language = "kuery" license = "Elastic License v2" name = "AWS VPC Flow Logs Deletion" @@ -81,6 +80,7 @@ tags = [ "Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", + "Data Source: AWS EC2", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion", @@ -92,6 +92,22 @@ query = ''' event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success ''' +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "user_agent.original", + "source.address", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" +] [[rule.threat]] framework = "MITRE ATT&CK" @@ -100,9 +116,9 @@ id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" [[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" diff --git a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml index 74fea8c26c3..5ef5161cec8 100644 --- a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -2,24 +2,21 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/06/05" [rule] author = ["Elastic"] description = """ -Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its -ingress/egress entries. +Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries. """ false_positives = [ """ - Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or - hostname should be making changes in your environment. Network ACL deletions by unfamiliar users or hosts should be - investigated. If known behavior is causing false positives, it can be exempted from the rule. + Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-60m" +from = "now-6m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] -interval = "10m" +interval = "5m" language = "kuery" license = "Elastic License v2" name = "AWS EC2 Network Access Control List Deletion" @@ -75,6 +72,7 @@ tags = [ "Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", + "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion", "Resources: Investigation Guide", @@ -85,7 +83,22 @@ type = "query" query = ''' event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success ''' - +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "user_agent.original", + "source.address", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" +] [[rule.threat]] framework = "MITRE ATT&CK" @@ -94,10 +107,9 @@ id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" [[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] diff --git a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml index fb602322a55..f5dcee312f5 100644 --- a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml @@ -2,24 +2,21 @@ creation_date = "2020/06/04" integration = ["aws"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/06/05" [rule] author = ["Elastic"] description = """ -Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network -ACL with a specified rule number. +Identifies the creation of an AWS EC2 network access control list (ACL) or an entry in a network ACL with a specified rule number. Adversaries may exploit ACLs to establish persistence or exfiltrate data by creating permissive rules. """ false_positives = [ """ - Network ACL's may be created by a network administrator. Verify whether the user identity, user agent, and/or - hostname should be making changes in your environment. Network ACL creations by unfamiliar users or hosts should be - investigated. If known behavior is causing false positives, it can be exempted from the rule. + Network ACL's may be created by a network administrator. Verify whether the user identity should be making changes in your environment. Network ACL creations by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-60m" +from = "now-6m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] -interval = "10m" +interval = "5m" language = "kuery" license = "Elastic License v2" name = "AWS EC2 Network Access Control List Creation" @@ -78,6 +75,7 @@ tags = [ "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Tactic: Persistence", + "Tactic: Defense Evasion", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" @@ -87,6 +85,22 @@ query = ''' event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success ''' +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "user_agent.original", + "source.address", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" +] [[rule.threat]] framework = "MITRE ATT&CK" @@ -100,4 +114,20 @@ reference = "https://attack.mitre.org/techniques/T1133/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/"