Skip to content

[Rule Tunings] AWS EC2 Flow Log Deletion and Network ACL Activity #4778

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 6, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 24 additions & 8 deletions rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,12 @@
creation_date = "2020/06/15"
integration = ["aws"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2025/06/05"

[rule]
author = ["Elastic"]
description = """
Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs
in an attempt to evade defenses.
Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses.
"""
false_positives = [
"""
Expand All @@ -17,9 +16,9 @@ false_positives = [
be exempted from the rule.
""",
]
from = "now-60m"
from = "now-6m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
interval = "10m"
interval = "5m"
language = "kuery"
license = "Elastic License v2"
name = "AWS VPC Flow Logs Deletion"
Expand Down Expand Up @@ -81,6 +80,7 @@ tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS EC2",
"Use Case: Log Auditing",
"Resources: Investigation Guide",
"Tactic: Defense Evasion",
Expand All @@ -92,6 +92,22 @@ query = '''
event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success
'''

[rule.investigation_fields]
field_names = [
"@timestamp",
"user.name",
"user_agent.original",
"source.address",
"aws.cloudtrail.user_identity.arn",
"aws.cloudtrail.user_identity.type",
"aws.cloudtrail.user_identity.access_key_id",
"event.action",
"event.outcome",
"cloud.account.id",
"cloud.region",
"aws.cloudtrail.request_parameters",
"aws.cloudtrail.response_elements"
]

[[rule.threat]]
framework = "MITRE ATT&CK"
Expand All @@ -100,9 +116,9 @@ id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
id = "T1562.008"
name = "Disable or Modify Cloud Logs"
reference = "https://attack.mitre.org/techniques/T1562/008/"



Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,24 +2,21 @@
creation_date = "2020/05/26"
integration = ["aws"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/06/05"

[rule]
author = ["Elastic"]
description = """
Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its
ingress/egress entries.
Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries.
"""
false_positives = [
"""
Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or
hostname should be making changes in your environment. Network ACL deletions by unfamiliar users or hosts should be
investigated. If known behavior is causing false positives, it can be exempted from the rule.
Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-60m"
from = "now-6m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
interval = "10m"
interval = "5m"
language = "kuery"
license = "Elastic License v2"
name = "AWS EC2 Network Access Control List Deletion"
Expand Down Expand Up @@ -75,6 +72,7 @@ tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS EC2",
"Use Case: Network Security Monitoring",
"Tactic: Defense Evasion",
"Resources: Investigation Guide",
Expand All @@ -85,7 +83,22 @@ type = "query"
query = '''
event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success
'''

[rule.investigation_fields]
field_names = [
"@timestamp",
"user.name",
"user_agent.original",
"source.address",
"aws.cloudtrail.user_identity.arn",
"aws.cloudtrail.user_identity.type",
"aws.cloudtrail.user_identity.access_key_id",
"event.action",
"event.outcome",
"cloud.account.id",
"cloud.region",
"aws.cloudtrail.request_parameters",
"aws.cloudtrail.response_elements"
]

[[rule.threat]]
framework = "MITRE ATT&CK"
Expand All @@ -94,10 +107,9 @@ id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"

id = "T1562.007"
name = "Disable or Modify Cloud Firewall"
reference = "https://attack.mitre.org/techniques/T1562/007/"


[rule.threat.tactic]
Expand Down
46 changes: 38 additions & 8 deletions rules/integrations/aws/persistence_ec2_network_acl_creation.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,24 +2,21 @@
creation_date = "2020/06/04"
integration = ["aws"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/06/05"

[rule]
author = ["Elastic"]
description = """
Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network
ACL with a specified rule number.
Identifies the creation of an AWS EC2 network access control list (ACL) or an entry in a network ACL with a specified rule number. Adversaries may exploit ACLs to establish persistence or exfiltrate data by creating permissive rules.
"""
false_positives = [
"""
Network ACL's may be created by a network administrator. Verify whether the user identity, user agent, and/or
hostname should be making changes in your environment. Network ACL creations by unfamiliar users or hosts should be
investigated. If known behavior is causing false positives, it can be exempted from the rule.
Network ACL's may be created by a network administrator. Verify whether the user identity should be making changes in your environment. Network ACL creations by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-60m"
from = "now-6m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
interval = "10m"
interval = "5m"
language = "kuery"
license = "Elastic License v2"
name = "AWS EC2 Network Access Control List Creation"
Expand Down Expand Up @@ -78,6 +75,7 @@ tags = [
"Data Source: AWS EC2",
"Use Case: Network Security Monitoring",
"Tactic: Persistence",
"Tactic: Defense Evasion",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
Expand All @@ -87,6 +85,22 @@ query = '''
event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success
'''

[rule.investigation_fields]
field_names = [
"@timestamp",
"user.name",
"user_agent.original",
"source.address",
"aws.cloudtrail.user_identity.arn",
"aws.cloudtrail.user_identity.type",
"aws.cloudtrail.user_identity.access_key_id",
"event.action",
"event.outcome",
"cloud.account.id",
"cloud.region",
"aws.cloudtrail.request_parameters",
"aws.cloudtrail.response_elements"
]

[[rule.threat]]
framework = "MITRE ATT&CK"
Expand All @@ -100,4 +114,20 @@ reference = "https://attack.mitre.org/techniques/T1133/"
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.007"
name = "Disable or Modify Cloud Firewall"
reference = "https://attack.mitre.org/techniques/T1562/007/"


[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"

Loading