forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpersistence_route_table_modified_or_deleted.toml
54 lines (49 loc) · 2.21 KB
/
persistence_route_table_modified_or_deleted.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
[metadata]
creation_date = "2021/06/05"
maturity = "production"
updated_date = "2021/10/05"
integration = "aws"
[rule]
author = ["Elastic", "Austin Songer"]
description = "Identifies when an AWS Route Table has been modified or deleted."
false_positives = [
"""
Route Table could be modified or deleted by a system administrator. Verify whether the user identity,
user agent, and/or hostname should be making changes in your environment. Route Table being modified
from unfamiliar users should be investigated. If known behavior is causing false positives, it can be
exempted from the rule. Also automated processes that use Terraform may lead to false positives.
""",
]
from = "now-60m"
index = ["filebeat-*", "logs-aws*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS Route Table Modified or Deleted"
note = """## Config
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://github.com/easttimor/aws-incident-response#network-routing",
"https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-route-table-modified",
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html",
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation",
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html",
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html",
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html",
]
risk_score = 21
rule_id = "e7cd5982-17c8-4959-874c-633acde7d426"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or
DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
reference = "https://attack.mitre.org/tactics/TA0003/"
name = "Persistence"
id = "TA0003"