AWS Route Table Modified or Deleted

calendarMar 6, 2023  ยท
Share on: linkedincopy

Identifies when an AWS Route Table has been modified or deleted.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/06/05"
 3integration = ["aws"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/03/06"
 8
 9[rule]
10author = ["Elastic", "Austin Songer"]
11description = "Identifies when an AWS Route Table has been modified or deleted."
12false_positives = [
13    """
14    Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent,
15    and/or hostname should be making changes in your environment. Route Table being modified from unfamiliar users
16    should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Also
17    automated processes that use Terraform may lead to false positives.
18    """,
19]
20from = "now-60m"
21index = ["filebeat-*", "logs-aws*"]
22interval = "10m"
23language = "kuery"
24license = "Elastic License v2"
25name = "AWS Route Table Modified or Deleted"
26note = """## Setup
27
28The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = [
30    "https://github.com/easttimor/aws-incident-response#network-routing",
31    "https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/",
32    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html",
33    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation",
34    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html",
35    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html",
36    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html",
37]
38risk_score = 21
39rule_id = "e7cd5982-17c8-4959-874c-633acde7d426"
40severity = "low"
41tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security", "Persistence"]
42timestamp_override = "event.ingested"
43type = "query"
44
45query = '''
46event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or
47DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53
54[rule.threat.tactic]
55id = "TA0003"
56name = "Persistence"
57reference = "https://attack.mitre.org/tactics/TA0003/"

Setup

The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

to-top