protectionsmachine
commented
2 months ago Rule: New - Guidelines
These guidelines serve as a reminder set of considerations when proposing a new rule.
Documentation and Context
- [ ] Detailed description of the rule.
- [ ] List any new fields required in ECS/data sources.
- [ ] Link related issues or PRs.
- [ ] Include references.
Rule Metadata Checks
- [ ]
creation_datematches the date of creation PR initially merged. - [ ]
min_stack_versionshould support the widest stack versions. - [ ]
nameanddescriptionshould be descriptive and not include typos. - [ ]
queryshould be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added tonon-ecs-schema.jsonif not available in an integration. - [ ]
min_stack_commentsandmin_stack_versionshould be included if the rule is only compatible starting from a specific stack version. - [ ]
indexpattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data). - [ ]
integrationshould align with theindex. If the integration is newly introduced, ensure the manifest, schemas, andnew_rule.yamltemplate are updated. - [ ]
setupshould include the necessary steps to configure the integration. - [ ]
noteshould include any additional information (e.g. Triage and analysis investigation guides, timeline templates). - [ ]
tagsshould be relevant to the threat and align/added to theEXPECTED_RULE_TAGSin the definitions.py file. - [ ]
threat,techniques, andsubtechniquesshould map to ATT&CK always if possible.
New BBR Rules
- [ ]
building_block_typeshould be included if the rule is a building block and the rule should be located in therules_building_blockfolder. - [ ]
bypass_bbr_timingshould be included if adding custom lookback timing to the rule.
Testing and Validation
- [ ] Provide evidence of testing and detecting the expected threat.
- [ ] Check for existence of coverage to prevent duplication.
Issue link(s):
Summary - What I changed
This rule detects the first time a principal calls AWS Cloudwatch
CreateStackorCreateStackSetAPI. Cloudformation is used to create a single collection of cloud resources called a stack, via a defined template file. An attacker with the appropriate privileges could leverage Cloudformation to create specific resources needed to further exploit the environment. This is a new terms rule that looks for the first instance of this behavior in the last 10 days for a role or IAM user within a particular account.--
The fields chosen for new_terms is very intentional here. I needed to account for both Roles and IAM user types. The problem with Roles and new_terms is that there is a
session_nameattached to therole_namewhich is different every time a new session is created using that particular role. This means for fields likeuser.idoraws.cloudtrail.user_identity.arn, we can't isolate the role name itself, instead we are capturing the role name and the session name which will mean lots of false positives because everyrole.name+session.namecombination will appear to be "new". I could utilizeaws.cloudtrail.user_identity.session_context.session_issuer.arnif I were only concerned with capturing events fromAssumedRoles, but since I want to capture events for long-term IAM users as well, this field won't work as it's only created when Roles are assumed. This leaves us withuser.namefield. The only problem here was that in an "Organization" there can be several different accounts with differentcloud.account.idsall being monitored through the same Cloudtrail logs. IAM User and Role names can be duplicated across different accounts, which might create false positives if those logs are being ingested together. To correct for this I am using bothuser.nameandcloud.account.idas thenew_terms_fieldsvalue so that ideally this rule will trigger for the first time occurance of a uniquerole/user name + cloud.account.idcombination.Checklist
bug,enhancement,schema,Rule: New,Rule: Deprecation,Rule: Tuning,Hunt: New, orHunt: Tuningso guidelines can be generated