AWS Route53 private hosted zone associated with a VPC

 1[metadata]
 2creation_date = "2021/07/19"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Austin Songer"]
 9description = "Identifies when a Route53 private hosted zone has been associated with VPC."
10false_positives = [
11    """
12    A private hosted zone may be asssociated with a VPC by a system or network administrator. Verify whether the user
13    identity, user agent, and/or hostname should be making changes in your environment. If known behavior is causing
14    false positives, it can be exempted from the rule.
15    """,
16]
17from = "now-60m"
18index = ["filebeat-*", "logs-aws.cloudtrail-*"]
19interval = "10m"
20language = "kuery"
21license = "Elastic License v2"
22name = "AWS Route53 private hosted zone associated with a VPC"
23note = """## Setup
24
25The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
26references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html"]
27risk_score = 21
28rule_id = "e3c27562-709a-42bd-82f2-3ed926cced19"
29severity = "low"
30tags = [
31    "Domain: Cloud",
32    "Data Source: AWS",
33    "Data Source: Amazon Web Services",
34    "Data Source: AWS Route53",
35    "Use Case: Asset Visibility",
36    "Tactic: Persistence",
37]
38timestamp_override = "event.ingested"
39type = "query"
40
41query = '''
42event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and
43event.outcome:success
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1098"
51name = "Account Manipulation"
52reference = "https://attack.mitre.org/techniques/T1098/"
53
54
55[rule.threat.tactic]
56id = "TA0003"
57name = "Persistence"
58reference = "https://attack.mitre.org/tactics/TA0003/"