AWS Route Table Modified or Deleted
Identifies when an AWS Route Table has been modified or deleted.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/06/05"
3integration = ["aws"]
4maturity = "production"
5min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
6min_stack_version = "8.9.0"
7updated_date = "2024/04/14"
8
9[rule]
10author = ["Elastic", "Austin Songer"]
11description = "Identifies when an AWS Route Table has been modified or deleted."
12false_positives = [
13 """
14 Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent,
15 and/or hostname should be making changes in your environment. Route Table being modified from unfamiliar users
16 should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Also
17 automated processes that use Terraform may lead to false positives.
18 """,
19]
20from = "now-60m"
21index = ["filebeat-*", "logs-aws.cloudtrail-*"]
22interval = "10m"
23language = "kuery"
24license = "Elastic License v2"
25name = "AWS Route Table Modified or Deleted"
26note = """## Setup
27
28The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = [
30 "https://github.com/easttimor/aws-incident-response#network-routing",
31 "https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/",
32 "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html",
33 "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation",
34 "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html",
35 "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html",
36 "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html",
37]
38risk_score = 21
39rule_id = "e7cd5982-17c8-4959-874c-633acde7d426"
40severity = "low"
41tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Network Security Monitoring", "Tactic: Persistence"]
42timestamp_override = "event.ingested"
43type = "query"
44
45query = '''
46event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or
47DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53
54[rule.threat.tactic]
55id = "TA0003"
56name = "Persistence"
57reference = "https://attack.mitre.org/tactics/TA0003/"
Setup
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- AWS Route Table Created
- AWS EC2 Network Access Control List Creation
- AWS Route 53 Domain Transfer Lock Disabled
- AWS Route 53 Domain Transferred to Another Account
- AWS Route53 private hosted zone associated with a VPC