AWS Configuration Recorder Stopped
Identifies an AWS configuration change to stop recording a designated set of resources.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/06/16"
3integration = ["aws"]
4maturity = "production"
5min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
6min_stack_version = "8.9.0"
7updated_date = "2024/04/14"
8
9[rule]
10author = ["Elastic"]
11description = "Identifies an AWS configuration change to stop recording a designated set of resources."
12false_positives = [
13 """
14 Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
15 Recording changes from unfamiliar users or hosts should be investigated. If known behavior is causing false
16 positives, it can be exempted from the rule.
17 """,
18]
19from = "now-60m"
20index = ["filebeat-*", "logs-aws.cloudtrail-*"]
21interval = "10m"
22language = "kuery"
23license = "Elastic License v2"
24name = "AWS Configuration Recorder Stopped"
25note = """## Setup
26
27The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
28references = [
29 "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html",
30 "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html",
31]
32risk_score = 73
33rule_id = "fbd44836-0d69-4004-a0b4-03c20370c435"
34severity = "high"
35tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"]
36timestamp_override = "event.ingested"
37type = "query"
38
39query = '''
40event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1562"
48name = "Impair Defenses"
49reference = "https://attack.mitre.org/techniques/T1562/"
50[[rule.threat.technique.subtechnique]]
51id = "T1562.001"
52name = "Disable or Modify Tools"
53reference = "https://attack.mitre.org/techniques/T1562/001/"
54
55
56
57[rule.threat.tactic]
58id = "TA0005"
59name = "Defense Evasion"
60reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
Options --configuration-recorder-name (string) The name of the recorder object that records each configuration change made to the resources. --cli-input-json | --cli-input-yaml (string) Reads argum...
Read More -
Stops recording configurations of the AWS resources you have selected to record in your AWS account.
Read More
Related rules
- AWS CloudTrail Log Deleted
- AWS CloudTrail Log Suspended
- AWS CloudWatch Alarm Deletion
- AWS Config Resource Deletion
- AWS EC2 Network Access Control List Deletion