forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathimpact_cloudtrail_logging_updated.toml
67 lines (57 loc) · 2.03 KB
/
impact_cloudtrail_logging_updated.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
[metadata]
creation_date = "2020/06/10"
maturity = "production"
updated_date = "2020/12/09"
[rule]
author = ["Elastic"]
description = "Identifies an update to an AWS log trail setting that specifies the delivery of log files."
false_positives = [
"""
Trail updates may be made by a system or network administrator. Verify whether the user identity, user agent, and/or
hostname should be making changes in your environment. Trail updates from unfamiliar users or hosts should be
investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-60m"
index = ["filebeat-*", "logs-aws*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "AWS CloudTrail Log Updated"
note = "The AWS Filebeat module must be enabled to use this rule."
references = [
"https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html",
"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html",
]
risk_score = 21
rule_id = "3e002465-876f-4f04-b016-84ef48ce7e5d"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"]
type = "query"
query = '''
event.action:UpdateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1565"
name = "Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/"
[[rule.threat.technique.subtechnique]]
id = "T1565.001"
name = "Stored Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/001/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1530"
name = "Data from Cloud Storage Object"
reference = "https://attack.mitre.org/techniques/T1530/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"