AWS ElastiCache Security Group Modified or Deleted
Identifies when an ElastiCache security group has been modified or deleted.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/07/19"
3integration = ["aws"]
4maturity = "production"
5min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
6min_stack_version = "8.9.0"
7updated_date = "2024/04/14"
8
9[rule]
10author = ["Austin Songer"]
11description = "Identifies when an ElastiCache security group has been modified or deleted."
12false_positives = [
13 """
14 A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user
15 identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions by
16 unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
17 from the rule.
18 """,
19]
20from = "now-60m"
21index = ["filebeat-*", "logs-aws.cloudtrail-*"]
22interval = "10m"
23language = "kuery"
24license = "Elastic License v2"
25name = "AWS ElastiCache Security Group Modified or Deleted"
26note = """## Setup
27
28The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = ["https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/Welcome.html"]
30risk_score = 21
31rule_id = "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516"
32severity = "low"
33tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"]
34timestamp_override = "event.ingested"
35type = "query"
36
37query = '''
38event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or
39"Authorize Cache Security Group Ingress" or "Revoke Cache Security Group Ingress" or "AuthorizeCacheSecurityGroupEgress" or
40"RevokeCacheSecurityGroupEgress") and event.outcome:success
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1562"
48name = "Impair Defenses"
49reference = "https://attack.mitre.org/techniques/T1562/"
50[[rule.threat.technique.subtechnique]]
51id = "T1562.007"
52name = "Disable or Modify Cloud Firewall"
53reference = "https://attack.mitre.org/techniques/T1562/007/"
54
55
56
57[rule.threat.tactic]
58id = "TA0005"
59name = "Defense Evasion"
60reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- AWS CloudTrail Log Deleted
- AWS CloudTrail Log Suspended
- AWS CloudWatch Alarm Deletion
- AWS Config Resource Deletion
- AWS Configuration Recorder Stopped