AWS ElastiCache Security Group Created
Detects when an ElastiCache security group has been created.
Sigma rule (View on GitHub)
1title: AWS ElastiCache Security Group Created
2id: 4ae68615-866f-4304-b24b-ba048dfa5ca7
3status: test
4description: Detects when an ElastiCache security group has been created.
5references:
6 - https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml
7author: Austin Songer @austinsonger
8date: 2021-07-24
9modified: 2022-10-09
10tags:
11 - attack.persistence
12 - attack.t1136
13 - attack.t1136.003
14logsource:
15 product: aws
16 service: cloudtrail
17detection:
18 selection:
19 eventSource: elasticache.amazonaws.com
20 eventName: 'CreateCacheSecurityGroup'
21 condition: selection
22falsepositives:
23 - A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
24
25
26level: low
References
Related rules
- New Federated Domain Added
- New Federated Domain Added - Exchange
- New Github Organization Member Added
- Suspicious 'Admin' Local User Creation with Net Command
- A Member Was Added to a Security-Enabled Global Group