AWS Route53 private hosted zone associated with a VPC

 1[metadata]
 2creation_date = "2021/07/19"
 3integration = ["aws"]
 4maturity = "production"
 5min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 6min_stack_version = "8.9.0"
 7updated_date = "2024/04/14"
 8
 9[rule]
10author = ["Austin Songer"]
11description = "Identifies when a Route53 private hosted zone has been associated with VPC."
12false_positives = [
13    """
14    A private hosted zone may be asssociated with a VPC by a system or network administrator. Verify whether the user
15    identity, user agent, and/or hostname should be making changes in your environment. If known behavior is causing
16    false positives, it can be exempted from the rule.
17    """,
18]
19from = "now-60m"
20index = ["filebeat-*", "logs-aws.cloudtrail-*"]
21interval = "10m"
22language = "kuery"
23license = "Elastic License v2"
24name = "AWS Route53 private hosted zone associated with a VPC"
25note = """## Setup
26
27The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
28references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html"]
29risk_score = 21
30rule_id = "e3c27562-709a-42bd-82f2-3ed926cced19"
31severity = "low"
32tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services",  "Data Source: AWS Route53", "Use Case: Asset Visibility", "Tactic: Persistence"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and
38event.outcome:success
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1098"
46name = "Account Manipulation"
47reference = "https://attack.mitre.org/techniques/T1098/"
48
49
50[rule.threat.tactic]
51id = "TA0003"
52name = "Persistence"
53reference = "https://attack.mitre.org/tactics/TA0003/"