forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdefense_evasion_configuration_recorder_stopped.toml
51 lines (44 loc) · 1.61 KB
/
defense_evasion_configuration_recorder_stopped.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
[metadata]
creation_date = "2020/06/16"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/09/03"
[rule]
author = ["Elastic"]
description = "Identifies an AWS configuration change to stop recording a designated set of resources."
false_positives = [
"""
Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
Recording changes from unfamiliar users or hosts should be investigated. If known behavior is causing false
positives, it can be exempted from the rule.
""",
]
from = "now-60m"
index = ["filebeat-*", "logs-aws*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "AWS Configuration Recorder Stopped"
note = "The AWS Filebeat module must be enabled to use this rule."
references = [
"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html",
"https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html",
]
risk_score = 73
rule_id = "fbd44836-0d69-4004-a0b4-03c20370c435"
severity = "high"
tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
type = "query"
query = '''
event.action:StopConfigurationRecorder and event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.outcome:success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1089"
name = "Disabling Security Tools"
reference = "https://attack.mitre.org/techniques/T1089/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"