forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcollection_cloudtrail_logging_created.toml
50 lines (43 loc) · 1.62 KB
/
collection_cloudtrail_logging_created.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
[metadata]
creation_date = "2020/06/10"
maturity = "production"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
description = "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data."
false_positives = [
"""
Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent,
and/or hostname should be making changes in your environment. Trail creations from unfamiliar users or hosts should
be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-60m"
index = ["filebeat-*", "logs-aws*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "AWS CloudTrail Log Created"
note = "The AWS Filebeat module must be enabled to use this rule."
references = [
"https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html",
"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html",
]
risk_score = 21
rule_id = "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"]
type = "query"
query = '''
event.action:CreateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1530"
name = "Data from Cloud Storage Object"
reference = "https://attack.mitre.org/techniques/T1530/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"