[Rule Tuning] CWP Rule Review and Tuning (AWS)

[terrancedejesus]

Link to rule

AWS Integration Rules

Description

The following rules are older than 90 days and are missing investigation notes. Investigation notes will be added and each rule examined via telemetry and through simulation to determine tuning is necessary or not.

• [x] - AWS GuardDuty Detector Deletion
• [x] - AWS Route Table Created
• [x] - AWS Access Secret in Secrets Manager
• [x] - AWS RDS Security Group Creation
• [x] - AWS ElastiCache Security Group Created
• [x] - AWS CloudTrail Log Suspended
• [x] - AWS IAM User Addition to Group
• [x] - AWS IAM Password Recovery Requested
• [x] - AWS IAM Group Creation
• [x] - AWS EventBridge Rule Disabled or Deleted
• [x] - AWS CloudWatch Alarm Deletion
• [x] - AWS EC2 Network Access Control List Creation
• [x] - AWS Management Console Root Login
• [x] - Unusual City For an AWS Command
• [x] - AWS Route53 private hosted zone associated with a VPC
• [x] - AWS Execution via System Manager
• [x] - AWS CloudTrail Log Updated
• [ ] - AWS Route 53 Domain Transfer Lock Disabled
• [x] - AWS Root Login Without MFA
• [x] - AWS Configuration Recorder Stopped
• [x] - AWS Security Group Configuration Change Detection
• [x] - AWS Config Service Tampering
• [x] - AWS IAM Assume Role Policy Update
• [x] - AWS STS GetSessionToken Abuse
• [x] - AWS EC2 Network Access Control List Deletion
• [x] - AWS Management Console Brute Force of Root User Identity
• [x] - Unusual AWS Command for a User
• [x] - Rare AWS Error Code
• [x] - AWS IAM Group Deletion
• [x] - AWS EC2 Snapshot Activity
• [x] - AWS CloudWatch Log Stream Deletion
• [ ] - AWS SAML Activity
• [x] - AWS EC2 VM Export Failure
• [x] - AWS CloudWatch Log Group Deletion
• [x] - AWS RDS Cluster Deletion
• [ ] - Unusual Country For an AWS Command
• [x] - AWS Route 53 Domain Transferred to Another Account
• [x] - AWS EC2 Flow Log Deletion
• [x] - AWS RDS Instance Creation
• [x] - AWS IAM Brute Force of Assume Role Policy
• [x] - AWS Security Token Service (STS) AssumeRole Usage

[SHolzhauer]

@terrancedejesus What is it you are trying to do here? I'd like to help on this one if possible.

[terrancedejesus]

8.3 Azure Conclusion In 8.3 we mainly reviewed did the following:

• Setup and documented an AWS Lab to use for re-creating activity related to existing pre-built detection rules to test if alerts are still being fired or if any fields need adjusted based on changes from AWS.
• A handful of rules were tuned to account for additional event.action values found when testing.
• A new rule for AWS Redshift was created as most of our detections focus solely on RDS instead.