Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Rule] AWS S3 Bucket Expiration Lifecycle Configuration Added #3700

Merged
merged 9 commits into from
May 21, 2024
Merged

[New Rule] AWS S3 Bucket Expiration Lifecycle Configuration Added #3700

merged 9 commits into from
May 21, 2024

Conversation

Mikaayenson
Copy link
Contributor

@Mikaayenson Mikaayenson commented May 21, 2024
edited
Loading

Issues

Summary

Identifies an expiration lifecycle configuration added to an S3 bucket. Lifecycle configurations can be used to manage
objects in a bucket, including setting expiration policies. This rule detects when a lifecycle configuration is added to
an S3 bucket, which could indicate that objects in the bucket will be automatically deleted after a specified period of
time. This could be used to evade detection by deleting objects that contain evidence of malicious activity.

Screenshot 2024-05-09 at 6 22 41 PM
Example Data 
{
  "_index": ".ds-logs-aws.cloudtrail-default-2024.04.09-000001",
  "_id": "f1aed5137a-000000035243",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "name": "ip-172-31-95-103",
      "id": "agent-id",
      "type": "filebeat",
      "ephemeral_id": "ephemeral-id",
      "version": "8.13.2"
    },
    "log": {
      "file": {
        "path": "https://bucket-name.s3.region.amazonaws.com/AWSLogs/bucket-name/CloudTrail/region/2024/04/12/log-file-name.json.gz"
      },
      "offset": 35243
    },
    "elastic_agent": {
      "id": "agent-id",
      "version": "8.13.2",
      "snapshot": false
    },
    "source": {
      "geo": {
        "continent_name": "North America",
        "region_iso_code": "US-OH",
        "city_name": "City",
        "country_iso_code": "US",
        "country_name": "United States",
        "region_name": "State",
        "location": {
          "lon": -xx.xxxx,
          "lat": xx.xxxx
        }
      },
      "as": {
        "number": 12097,
        "organization": {
          "name": "Organization Name"
        }
      },
      "address": "IP Address",
      "ip": "IP Address"
    },
    "cloud": {
      "region": "us-east-1"
    },
    "input": {
      "type": "aws-s3"
    },
    "@timestamp": "2024-04-12T17:06:42.000Z",
    "ecs": {
      "version": "8.0.0"
    },
    "related": {
      "user": ["username"]
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "aws.cloudtrail"
    },
    "tls": {
      "cipher": "TLS_AES_128_GCM_SHA256",
      "client": {
        "server_name": "bucket-name.s3.region.amazonaws.com"
      },
      "version": "1.3",
      "version_protocol": "tls"
    },
    "aws": {
      "s3": {
        "bucket": {
          "name": "bucket-name",
          "arn": "arn:aws:s3:::bucket-name"
        },
        "object": {
          "key": "AWSLogs/bucket-name/CloudTrail/region/2024/04/12/log-file-name.json.gz"
        }
      },
      "cloudtrail": {
        "event_version": "1.09",
        "request_parameters": {
          "bucketName": "bucket-name",
          "LifecycleConfiguration": {
            "Rule": {
              "Status": "Enabled",
              "Filter": {
                "Prefix": "*"
              },
              "Expiration": {
                "Days": 1
              },
              "ID": "config-id"
            },
            "Host": "bucket-name.s3.region.amazonaws.com"
          }
        },
        "event_type": "AwsApiCall",
        "user_identity": {
          "type": "IAMUser",
          "arn": "arn:aws:iam::account-id:user/username"
        },
        "event_category": "Management",
        "request_id": "request-id"
      }
    },
    "event": {
      "agent_id_status": "verified",
      "provider": "s3.amazonaws.com",
      "action": "PutBucketLifecycle",
      "id": "event-id",
      "type": ["info"],
      "dataset": "aws.cloudtrail",
      "outcome": "success"
    },
    "user": {
      "name": "username",
      "id": "user-id"
    },
    "user_agent": {
      "original": "user-agent-string",
      "name": "Other",
      "device": {
        "name": "Other"
      }
    }
  }
}

@Mikaayenson Mikaayenson added Integration: AWS AWS related rules Domain: Cloud Rule: New Proposal for new rule Area: RAD labels May 21, 2024
@Mikaayenson Mikaayenson requested review from Samirbous and Aegrah May 21, 2024 21:19
@Mikaayenson Mikaayenson merged commit 58ba071 into main May 21, 2024
24 checks passed
@Mikaayenson Mikaayenson deleted the new-rule-s3-bucket-expiration-lifecycle-added branch May 21, 2024 21:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@w0rk3r w0rk3r w0rk3r approved these changes

@Samirbous Samirbous Samirbous approved these changes

@Aegrah Aegrah Awaiting requested review from Aegrah

Assignees

@terrancedejesus terrancedejesus

Labels
backport: skip Domain: Cloud Integration: AWS AWS related rules Rule: New Proposal for new rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Mikaayenson @w0rk3r @Samirbous @terrancedejesus