defense_evasion_config_service_rule_deletion.toml

[metadata]
creation_date = "2020/06/26"
maturity = "production"
updated_date = "2020/12/09"

[rule]
author = ["Elastic"]
description = """
Identifies attempts to delete an AWS Config Service rule. An adversary may tamper with Config rules in order to reduce
visibiltiy into the security posture of an account and / or its workload instances.
"""
false_positives = [
    """
    Privileged IAM users with security responsibilities may be expected to make changes to the Config rules in order to
    align with local security policies and requirements. Automation, orchestration, and security tools may also make
    changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds
    of user or service contexts do not commonly make changes to this service.
    """,
]
from = "now-60m"
index = ["filebeat-*", "logs-aws*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "AWS Config Service Tampering"
note = "The AWS Filebeat module must be enabled to use this rule."
references = [
    "https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html",
    "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html",
]
risk_score = 47
rule_id = "7024e2a0-315d-4334-bb1a-552d604f27bc"
severity = "medium"
tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"]
type = "query"

query = '''
event.dataset: aws.cloudtrail and event.action: DeleteConfigRule and event.provider: config.amazonaws.com
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"


[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"