AWS ElastiCache Security Group Modified or Deleted
Identifies when an ElastiCache security group has been modified or deleted.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/07/19"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Austin Songer"]
9description = "Identifies when an ElastiCache security group has been modified or deleted."
10false_positives = [
11 """
12 A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user
13 identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions by
14 unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
15 from the rule.
16 """,
17]
18from = "now-60m"
19index = ["filebeat-*", "logs-aws.cloudtrail-*"]
20interval = "10m"
21language = "kuery"
22license = "Elastic License v2"
23name = "AWS ElastiCache Security Group Modified or Deleted"
24note = """## Setup
25
26The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
27references = ["https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/Welcome.html"]
28risk_score = 21
29rule_id = "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516"
30severity = "low"
31tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"]
32timestamp_override = "event.ingested"
33type = "query"
34
35query = '''
36event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or
37"Authorize Cache Security Group Ingress" or "Revoke Cache Security Group Ingress" or "AuthorizeCacheSecurityGroupEgress" or
38"RevokeCacheSecurityGroupEgress") and event.outcome:success
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1562"
46name = "Impair Defenses"
47reference = "https://attack.mitre.org/techniques/T1562/"
48[[rule.threat.technique.subtechnique]]
49id = "T1562.007"
50name = "Disable or Modify Cloud Firewall"
51reference = "https://attack.mitre.org/techniques/T1562/007/"
52
53
54
55[rule.threat.tactic]
56id = "TA0005"
57name = "Defense Evasion"
58reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
Amazon ElastiCache is a web service that makes it easier to set up, operate, and scale a distributed cache in the cloud.
Read More
Related rules
- AWS CloudTrail Log Suspended
- AWS CloudWatch Alarm Deletion
- AWS Config Resource Deletion
- AWS Configuration Recorder Stopped
- AWS EC2 Network Access Control List Deletion