AWS CloudTrail Log Created

 1[metadata]
 2creation_date = "2020/06/10"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data."
10false_positives = [
11    """
12    Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent,
13    and/or hostname should be making changes in your environment. Trail creations by unfamiliar users or hosts should be
14    investigated. If known behavior is causing false positives, it can be exempted from the rule.
15    """,
16]
17from = "now-60m"
18index = ["filebeat-*", "logs-aws.cloudtrail-*"]
19interval = "10m"
20language = "kuery"
21license = "Elastic License v2"
22name = "AWS CloudTrail Log Created"
23note = """## Triage and analysis
24
25> **Disclaimer**:
26> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
27
28### Investigating AWS CloudTrail Log Created
29
30AWS CloudTrail is a service that enables governance, compliance, and operational and risk auditing of your AWS account. It logs API calls and related events, providing visibility into user activity. Adversaries may create new trails to capture sensitive data or cover their tracks. The detection rule identifies successful trail creation, signaling potential unauthorized activity, aiding in early threat detection.
31
32### Possible investigation steps
33
34- Review the AWS CloudTrail logs to identify the user or role associated with the CreateTrail event by examining the user identity information in the event logs.
35- Check the time and date of the CreateTrail event to determine if it aligns with any known maintenance or administrative activities.
36- Investigate the configuration of the newly created trail to understand what specific log data it is set to capture and where it is being delivered.
37- Assess whether the trail creation was authorized by cross-referencing with change management records or by contacting relevant personnel.
38- Analyze other recent AWS CloudTrail events associated with the same user or role to identify any suspicious or unusual activities that may indicate malicious intent.
39- Evaluate the permissions and access policies of the user or role involved in the event to ensure they align with the principle of least privilege.
40
41### False positive analysis
42
43- Routine administrative actions by authorized personnel can trigger this rule. Regularly review and document legitimate trail creation activities to differentiate them from unauthorized actions.
44- Automated processes or scripts that create trails for compliance or monitoring purposes may cause false positives. Identify and whitelist these processes to prevent unnecessary alerts.
45- Third-party security tools or services that integrate with AWS and create trails for enhanced logging might be mistaken for suspicious activity. Verify these integrations and exclude them from the rule if they are part of your security strategy.
46- Changes in organizational policy or structure that require new trail creation can lead to false positives. Ensure that such changes are communicated to the security team to adjust the rule settings accordingly.
47
48### Response and remediation
49
50- Immediately review the newly created CloudTrail log to verify its legitimacy. Check the user or service account that initiated the trail creation and confirm if it aligns with expected administrative activities.
51- If the trail creation is unauthorized, disable or delete the trail to prevent further data capture by potential adversaries.
52- Conduct a thorough audit of recent API calls and user activities associated with the account that created the trail to identify any other suspicious actions or configurations.
53- Escalate the incident to the security operations team for further investigation and to determine if additional AWS resources have been compromised.
54- Implement additional monitoring and alerting for any future unauthorized CloudTrail modifications or creations to enhance early detection capabilities.
55- Review and tighten IAM policies and permissions to ensure that only authorized personnel have the ability to create or modify CloudTrail configurations.
56- Consider enabling AWS CloudTrail log file integrity validation to ensure that log files have not been altered or deleted, providing an additional layer of security.
57
58## Setup
59
60The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
61references = [
62    "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html",
63    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html",
64]
65risk_score = 21
66rule_id = "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed"
67severity = "low"
68tags = [
69    "Domain: Cloud",
70    "Data Source: AWS",
71    "Data Source: Amazon Web Services",
72    "Use Case: Log Auditing",
73    "Tactic: Collection",
74    "Resources: Investigation Guide",
75]
76timestamp_override = "event.ingested"
77type = "query"
78
79query = '''
80event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success
81'''
82
83
84[[rule.threat]]
85framework = "MITRE ATT&CK"
86[[rule.threat.technique]]
87id = "T1530"
88name = "Data from Cloud Storage"
89reference = "https://attack.mitre.org/techniques/T1530/"
90
91
92[rule.threat.tactic]
93id = "TA0009"
94name = "Collection"
95reference = "https://attack.mitre.org/tactics/TA0009/"