credential_access_iam_user_addition_to_group.toml

[metadata]
creation_date = "2020/06/04"
maturity = "production"
updated_date = "2021/07/20"
integration = "aws"

[rule]
author = ["Elastic"]
description = "Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM)."
false_positives = [
    """
    Adding users to a specified group may be done by a system or network administrator. Verify whether the user
    identity, user agent, and/or hostname should be making changes in your environment. User additions from unfamiliar
    users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the
    rule.
    """,
]
from = "now-60m"
index = ["filebeat-*", "logs-aws*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS IAM User Addition to Group"
note = """## Config

The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"]
risk_score = 21
rule_id = "333de828-8190-4cf5-8d7c-7575846f6fe0"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"


[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"