AWS Security Group Configuration Change Detection
Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/05/05"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic", "Austin Songer"]
9description = """
10Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying
11configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or
12pivot in an AWS environment.
13"""
14false_positives = [
15 """
16 A security group may be created by a system or network administrator. Verify whether the user identity, user agent,
17 and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts
18 should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
19 """,
20]
21from = "now-30m"
22index = ["filebeat-*", "logs-aws.cloudtrail-*"]
23interval = "10m"
24language = "kuery"
25license = "Elastic License v2"
26name = "AWS Security Group Configuration Change Detection"
27note = """## Setup
28
29The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
30references = ["https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html"]
31risk_score = 21
32rule_id = "29052c19-ff3e-42fd-8363-7be14d7c5469"
33severity = "low"
34tags = [
35 "Domain: Cloud",
36 "Data Source: AWS",
37 "Data Source: Amazon Web Services",
38 "Data Source: AWS EC2",
39 "Use Case: Network Security Monitoring",
40 "Tactic: Persistence",
41]
42timestamp_override = "event.ingested"
43type = "query"
44
45query = '''
46event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or
47CreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or
48RevokeSecurityGroupIngress) and event.outcome:success
49'''
50
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54
55[rule.threat.tactic]
56id = "TA0003"
57name = "Persistence"
58reference = "https://attack.mitre.org/tactics/TA0003/"
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1562"
63name = "Impair Defenses"
64reference = "https://attack.mitre.org/techniques/T1562/"
65[[rule.threat.technique.subtechnique]]
66id = "T1562.007"
67name = "Disable or Modify Cloud Firewall"
68reference = "https://attack.mitre.org/techniques/T1562/007/"
69
70
71
72[rule.threat.tactic]
73id = "TA0005"
74name = "Defense Evasion"
75reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- AWS EC2 Network Access Control List Creation
- AWS Route Table Created
- AWS Route Table Modified or Deleted
- AWS EC2 Encryption Disabled
- AWS EC2 Full Network Packet Capture Detected