AWS Security Group Configuration Change Detection
Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/05/05"
3integration = ["aws"]
4maturity = "production"
5min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
6min_stack_version = "8.9.0"
7updated_date = "2024/04/14"
8
9[rule]
10author = ["Elastic", "Austin Songer"]
11description = """
12Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying
13configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or
14pivot in an AWS environment.
15"""
16false_positives = [
17 """
18 A security group may be created by a system or network administrator. Verify whether the user identity, user agent,
19 and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts
20 should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
21 """,
22]
23from = "now-30m"
24index = ["filebeat-*", "logs-aws.cloudtrail-*"]
25interval = "10m"
26language = "kuery"
27license = "Elastic License v2"
28name = "AWS Security Group Configuration Change Detection"
29note = """## Setup
30
31The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
32references = ["https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html"]
33risk_score = 21
34rule_id = "29052c19-ff3e-42fd-8363-7be14d7c5469"
35severity = "low"
36tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Tactic: Persistence"]
37timestamp_override = "event.ingested"
38type = "query"
39
40query = '''
41event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or
42CreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or
43RevokeSecurityGroupIngress) and event.outcome:success
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49
50[rule.threat.tactic]
51id = "TA0003"
52name = "Persistence"
53reference = "https://attack.mitre.org/tactics/TA0003/"
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1562"
58name = "Impair Defenses"
59reference = "https://attack.mitre.org/techniques/T1562/"
60[[rule.threat.technique.subtechnique]]
61id = "T1562.007"
62name = "Disable or Modify Cloud Firewall"
63reference = "https://attack.mitre.org/techniques/T1562/007/"
64
65
66
67[rule.threat.tactic]
68id = "TA0005"
69name = "Defense Evasion"
70reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
Use security groups and security group rules as a firewall to control traffic to and from your EC2 instances.
Read More
Related rules
- AWS EC2 Network Access Control List Creation
- AWS Route Table Created
- AWS Route Table Modified or Deleted
- AWS EC2 Encryption Disabled
- AWS EC2 Full Network Packet Capture Detected