search

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.95k stars 497 forks source link

[New Rule] AWS ElastiCache Security Group Modified or Deleted #1352

Closed austinsonger closed 3 years ago

austinsonger commented 3 years ago

Description

Identifies when an ElastiCache security group has been modified.

Required Info

Target indexes

filebeat-*, logs-aws*

Platforms

AWS Cloudtrail

Optional Info

Query

event.dataset:aws.cloudtrail and  event.provider:elasticache.amazonaws.com and 
event.action:(Delete Cache Security Group or Authorize Cache Security Group Ingress or 
Revoke Cache Security Group Ingress or AuthorizeCacheSecurityGroupEgress or RevokeCacheSecurityGroupEgress) and 
event.outcome:success

New fields required in ECS/data sources for this rule?

Related issues or PRs

False Positives

MITRE

ATTACK TACTIC Credential Access, Persistence

ATTACK TECHNIQUE Account Manipulation

References

botelastic[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

austinsonger commented 3 years ago

I'm just leaving a comment for activity.