Route53 Resolver Query Log Configuration Deleted

 1[metadata]
 2creation_date = "2024/04/12"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when a Route53 Resolver Query Log Configuration is deleted. When a Route53 Resolver query log configuration
11is deleted, Resolver stops logging DNS queries and responses for the specified configuration. Adversaries may delete
12query log configurations to evade detection or cover their tracks.
13"""
14false_positives = ["Legitimate deletion of Route53 Resolver Query Log Configuration by authorized personnel."]
15from = "now-60m"
16index = ["filebeat-*", "logs-aws.cloudtrail*"]
17interval = "10m"
18language = "kuery"
19license = "Elastic License v2"
20name = "Route53 Resolver Query Log Configuration Deleted"
21note = """
22## Triage and Analysis
23
24### Investigating Route53 Resolver Query Log Configuration Deleted
25
26This rule detects when a Route53 Resolver Query Log Configuration is deleted. Deleting these configurations stops the logging of DNS queries and responses, which can significantly impede network monitoring and compromise security visibility. Adversaries may delete these configurations to evade detection, remove evidence, or obscure their activities within a network.
27
28Adversaries target Route53 Resolver query log configurations because these logs can contain evidence of malicious domain queries or responses. By deleting these logs, an adversary can prevent the capture of information that could reveal unauthorized network activities, aiding in avoiding detection and thwarting incident response efforts.
29
30#### Possible Investigation Steps
31
32- **Review the Deletion Details**: Examine the CloudTrail logs to identify when and by whom the deletion was initiated.
33    - Check the `event.action` and `user_identity` elements to understand the scope and authorization of the deletion.
34- **Contextualize with User Actions**: Assess whether the deletion aligns with the user’s role and job responsibilities.
35    - Investigate if similar modifications have occurred recently that could suggest a pattern or broader campaign.
36- **Analyze Access Patterns and Permissions**: Verify whether the user had the appropriate permissions to delete log configurations.
37    - Investigate any recent permission changes that might indicate role abuse or credentials compromise.
38- **Correlate with Other Security Incidents**: Look for related security alerts or incidents that could be connected to the log deletion.
39    - This includes unusual network traffic, alerts from other AWS services, or findings from intrusion detection systems.
40- **Interview the Responsible Team**: If the deletion was initiated by an internal team member, confirm their intent and authorization to ensure it was a legitimate action.
41
42### False Positive Analysis
43
44- **Legitimate Administrative Actions**: Confirm that the deletion was part of scheduled IT operations or network management activities, possibly linked to maintenance or infrastructure updates. Validate this action against change management records or through interviews with relevant personnel.
45
46### Response and Remediation
47
48- **Restore Logs if Feasible**: If the deletion was unauthorized, consider restoring the configuration from backups to ensure continuous visibility into DNS queries.
49- **Review and Tighten Permissions**: Ensure that only authorized personnel have the capability to delete critical configurations.
50    - Adjust AWS IAM policies to reinforce security measures.
51- **Enhance Monitoring of Log Management**: Implement or enhance monitoring rules to detect and alert on unauthorized changes to logging configurations, focusing on critical deletions.
52- **Conduct Comprehensive Security Review**: If the deletion is verified as malicious, initiate a thorough security assessment to identify any further unauthorized changes or ongoing malicious activities.
53
54### Additional Information
55
56For detailed instructions on managing Route53 Resolver and securing its configurations, refer to the [Amazon Route53 Resolver documentation](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DeleteResolverQueryLogConfig.html).
57
58"""
59references = [
60    "https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DeleteResolverQueryLogConfig.html",
61]
62risk_score = 47
63rule_id = "453183fa-f903-11ee-8e88-f661ea17fbce"
64severity = "medium"
65tags = [
66    "Domain: Cloud",
67    "Data Source: AWS",
68    "Data Source: Amazon Web Services",
69    "Data Source: Amazon Route53",
70    "Use Case: Log Auditing",
71    "Resources: Investigation Guide",
72    "Tactic: Defense Evasion",
73]
74timestamp_override = "event.ingested"
75type = "query"
76
77query = '''
78event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com
79    and event.action: DeleteResolverQueryLogConfig and event.outcome: success
80'''
81
82
83[[rule.threat]]
84framework = "MITRE ATT&CK"
85[[rule.threat.technique]]
86id = "T1562"
87name = "Impair Defenses"
88reference = "https://attack.mitre.org/techniques/T1562/"
89[[rule.threat.technique.subtechnique]]
90id = "T1562.008"
91name = "Disable or Modify Cloud Logs"
92reference = "https://attack.mitre.org/techniques/T1562/008/"
93
94
95
96[rule.threat.tactic]
97id = "TA0005"
98name = "Defense Evasion"
99reference = "https://attack.mitre.org/tactics/TA0005/"