AWS ElastiCache Security Group Modified or Deleted

 1[metadata]
 2creation_date = "2021/07/19"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Austin Songer"]
 9description = "Identifies when an ElastiCache security group has been modified or deleted."
10false_positives = [
11    """
12    A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user
13    identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions by
14    unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
15    from the rule.
16    """,
17]
18from = "now-60m"
19index = ["filebeat-*", "logs-aws.cloudtrail-*"]
20interval = "10m"
21language = "kuery"
22license = "Elastic License v2"
23name = "AWS ElastiCache Security Group Modified or Deleted"
24note = """## Triage and analysis
25
26> **Disclaimer**:
27> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
28
29### Investigating AWS ElastiCache Security Group Modified or Deleted
30
31AWS ElastiCache security groups control inbound and outbound traffic to cache clusters, ensuring only authorized access. Adversaries may modify or delete these groups to bypass security controls, facilitating unauthorized data access or exfiltration. The detection rule monitors specific API actions related to security group changes, flagging successful modifications or deletions as potential defense evasion attempts.
32
33### Possible investigation steps
34
35- Review the CloudTrail logs for the specific event.provider: elasticache.amazonaws.com to identify the user or role that initiated the security group modification or deletion.
36- Examine the event.action field to determine the exact action taken, such as "Delete Cache Security Group" or "Authorize Cache Security Group Ingress", and assess the potential impact on security posture.
37- Check the event.outcome field to confirm the success of the action and correlate it with any other suspicious activities in the same timeframe.
38- Investigate the source IP address and location associated with the event to determine if it aligns with expected administrative activity.
39- Review the AWS IAM policies and permissions associated with the user or role to ensure they are appropriate and have not been overly permissive.
40- Assess the affected ElastiCache clusters to determine if any unauthorized access or data exfiltration attempts have occurred following the security group change.
41
42### False positive analysis
43
44- Routine maintenance activities by authorized personnel can trigger alerts when they modify security groups for legitimate reasons. To manage this, create exceptions for known maintenance windows or specific user actions.
45- Automated scripts or tools used for infrastructure management might modify security groups as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts by using specific user or role identifiers.
46- Changes made by cloud management platforms or third-party services that integrate with AWS may also result in false positives. Review and whitelist these services if they are verified as non-threatening.
47- Regular updates or deployments that require temporary security group modifications can be mistaken for suspicious activity. Document these processes and adjust the detection rule to account for these expected changes.
48- Ensure that any changes made by trusted IP addresses or within a specific network range are reviewed and potentially excluded from alerting, as they may represent internal, authorized activities.
49
50### Response and remediation
51
52- Immediately isolate the affected ElastiCache instance by applying restrictive security group rules to prevent further unauthorized access.
53- Review CloudTrail logs to identify any unauthorized API calls related to the security group modifications and determine the source of the changes.
54- Revert any unauthorized changes to the ElastiCache security groups by restoring them to their previous state using backups or documented configurations.
55- Conduct a thorough investigation to identify any data exfiltration or unauthorized access that may have occurred due to the security group changes.
56- Escalate the incident to the security operations team for further analysis and to determine if additional security measures are required.
57- Implement additional monitoring and alerting for changes to ElastiCache security groups to ensure rapid detection of similar threats in the future.
58- Review and update IAM policies to ensure that only authorized personnel have permissions to modify ElastiCache security groups, reducing the risk of future unauthorized changes.
59
60## Setup
61
62The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
63references = ["https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/Welcome.html"]
64risk_score = 21
65rule_id = "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516"
66severity = "low"
67tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion", "Resources: Investigation Guide"]
68timestamp_override = "event.ingested"
69type = "query"
70
71query = '''
72event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or
73"Authorize Cache Security Group Ingress" or  "Revoke Cache Security Group Ingress" or "AuthorizeCacheSecurityGroupEgress" or
74"RevokeCacheSecurityGroupEgress") and event.outcome:success
75'''
76
77
78[[rule.threat]]
79framework = "MITRE ATT&CK"
80[[rule.threat.technique]]
81id = "T1562"
82name = "Impair Defenses"
83reference = "https://attack.mitre.org/techniques/T1562/"
84[[rule.threat.technique.subtechnique]]
85id = "T1562.007"
86name = "Disable or Modify Cloud Firewall"
87reference = "https://attack.mitre.org/techniques/T1562/007/"
88
89
90
91[rule.threat.tactic]
92id = "TA0005"
93name = "Defense Evasion"
94reference = "https://attack.mitre.org/tactics/TA0005/"