forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdefense_evasion_cloudtrail_logging_deleted.toml
51 lines (44 loc) · 1.65 KB
/
defense_evasion_cloudtrail_logging_deleted.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
[metadata]
creation_date = "2020/05/26"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/09/03"
[rule]
author = ["Elastic"]
description = "Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses."
false_positives = [
"""
Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent,
and/or hostname should be making changes in your environment. Trail deletions from unfamiliar users or hosts should
be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-60m"
index = ["filebeat-*", "logs-aws*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "AWS CloudTrail Log Deleted"
note = "The AWS Filebeat module must be enabled to use this rule."
references = [
"https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html",
"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html",
]
risk_score = 47
rule_id = "7024e2a0-315d-4334-bb1a-441c593e16ab"
severity = "medium"
tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
type = "query"
query = '''
event.action:DeleteTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1089"
name = "Disabling Security Tools"
reference = "https://attack.mitre.org/techniques/T1089/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"