AWS ElastiCache Security Group Modified or Deleted
Identifies when an ElastiCache security group has been modified or deleted.
Sigma rule (View on GitHub)
1title: AWS ElastiCache Security Group Modified or Deleted
2id: 7c797da2-9cf2-4523-ba64-33b06339f0cc
3status: test
4description: Identifies when an ElastiCache security group has been modified or deleted.
5references:
6 - https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml
7author: Austin Songer @austinsonger
8date: 2021/07/24
9modified: 2022/10/09
10tags:
11 - attack.impact
12 - attack.t1531
13logsource:
14 product: aws
15 service: cloudtrail
16detection:
17 selection:
18 eventSource: elasticache.amazonaws.com
19 eventName:
20 - 'DeleteCacheSecurityGroup'
21 - 'AuthorizeCacheSecurityGroupIngress'
22 - 'RevokeCacheSecurityGroupIngress'
23 - 'AuthorizeCacheSecurityGroupEgress'
24 - 'RevokeCacheSecurityGroupEgress'
25 condition: selection
26falsepositives:
27 - A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
28
29
30level: low
References
Related rules
- Google Cloud Service Account Disabled or Deleted
- Remove Account From Domain Admin Group
- Okta User Account Locked Out
- AWS EC2 Disable EBS Encryption
- AWS EFS Fileshare Modified or Deleted