New Network Route Added
Detects the addition of a new network route to a route table in AWS.
Sigma rule (View on GitHub)
1title: New Network Route Added
2id: c803b2ce-c4a2-4836-beae-b112010390b1
3status: test
4description: |
5 Detects the addition of a new network route to a route table in AWS.
6references:
7 - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
8author: jamesc-grafana
9date: 2024-07-11
10tags:
11 - attack.defense-evasion
12 - attack.t1562.007
13logsource:
14 product: aws
15 service: cloudtrail
16detection:
17 selection:
18 eventSource: 'ec2.amazonaws.com'
19 eventName: 'CreateRoute'
20 condition: selection
21falsepositives:
22 - New VPC Creation requiring setup of a new route table
23 - New subnets added requiring routing setup
24level: medium
References
Related rules
- New Network ACL Entry Added
- Azure Network Firewall Policy Modified or Deleted
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- Disabling Multi Factor Authentication