AWS Security Group Configuration Change Detection
Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/05/05"
3integration = ["aws"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/03/06"
8
9[rule]
10author = ["Elastic", "Austin Songer"]
11description = """
12Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying
13configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or
14pivot in an AWS environment.
15"""
16false_positives = [
17 """
18 A security group may be created by a system or network administrator. Verify whether the user identity, user agent,
19 and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts
20 should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
21 """,
22]
23from = "now-30m"
24index = ["filebeat-*", "logs-aws*"]
25interval = "10m"
26language = "kuery"
27license = "Elastic License v2"
28name = "AWS Security Group Configuration Change Detection"
29note = """## Setup
30
31The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
32references = ["https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html"]
33risk_score = 21
34rule_id = "29052c19-ff3e-42fd-8363-7be14d7c5469"
35severity = "low"
36tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security"]
37timestamp_override = "event.ingested"
38type = "query"
39
40query = '''
41event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or
42CreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or
43RevokeSecurityGroupIngress) and event.outcome:success
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49
50[rule.threat.tactic]
51id = "TA0003"
52name = "Persistence"
53reference = "https://attack.mitre.org/tactics/TA0003/"
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1562"
58name = "Impair Defenses"
59reference = "https://attack.mitre.org/techniques/T1562/"
60[[rule.threat.technique.subtechnique]]
61id = "T1562.007"
62name = "Disable or Modify Cloud Firewall"
63reference = "https://attack.mitre.org/techniques/T1562/007/"
64
65
66
67[rule.threat.tactic]
68id = "TA0005"
69name = "Defense Evasion"
70reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.