AWS ElastiCache Security Group Created

Oct 12, 2023 · attack.persistence attack.t1136 attack.t1136.003 ·

Detects when an ElastiCache security group has been created.

Sigma rule (View on GitHub)

 1title: AWS ElastiCache Security Group Created
 2id: 4ae68615-866f-4304-b24b-ba048dfa5ca7
 3status: test
 4description: Detects when an ElastiCache security group has been created.
 5references:
 6    - https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml
 7author: Austin Songer @austinsonger
 8date: 2021/07/24
 9modified: 2022/10/09
10tags:
11    - attack.persistence
12    - attack.t1136
13    - attack.t1136.003
14logsource:
15    product: aws
16    service: cloudtrail
17detection:
18    selection:
19        eventSource: elasticache.amazonaws.com
20        eventName: 'CreateCacheSecurityGroup'
21    condition: selection
22falsepositives:
23    - A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
24
25
26level: low

References

detection-rules/rules/integrations/aws/persistence_elasticache_security_group_creation.toml at 598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e · elastic/detection-rules

Contribute to elastic/detection-rules development by creating an account on GitHub.

Read More

AWS ElastiCache Security Group Created

Sigma rule (View on GitHub)

References

detection-rules/rules/integrations/aws/persistence_elasticache_security_group_creation.toml at 598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e · elastic/detection-rules

Related rules