forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdefense_evasion_ec2_network_acl_deletion.toml
59 lines (52 loc) · 2.04 KB
/
defense_evasion_ec2_network_acl_deletion.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
[metadata]
creation_date = "2020/05/26"
maturity = "production"
updated_date = "2020/12/09"
[rule]
author = ["Elastic"]
description = """
Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its
ingress/egress entries.
"""
false_positives = [
"""
Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or
hostname should be making changes in your environment. Network ACL deletions from unfamiliar users or hosts should
be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-60m"
index = ["filebeat-*", "logs-aws*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "AWS EC2 Network Access Control List Deletion"
note = "The AWS Filebeat module must be enabled to use this rule."
references = [
"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html",
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html",
"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl-entry.html",
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html",
]
risk_score = 47
rule_id = "8623535c-1e17-44e1-aa97-7a0699c3037d"
severity = "medium"
tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security"]
type = "query"
query = '''
event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"