Open aarju opened 3 years ago
Hey @aarju! Thanks for this. We did have this one on our list as far as an ML job is concerned. The idea is to look for ImportKeyPair/CreateKeyPair from a Rare IP, as the API calls themselves can generate a decent amount of noise.
Added this to the Cloud module scope.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Description
Detect when the AWS API was used to add a new SSH to an EC2 instance. This could be an indicator of an attacker or insider threat that has IAM access in AWS and is using that access to directly access EC2 resources.
Required Info
Target indexes
filebeat-*
Additional requirements
AWS Filebeat Module
Target Operating Systems
Platforms
aws
Tested ECS Version
x.x.x
Optional Info
Admin activity in AWS will be a common false positive, although many orgs use other systems to manage keys which would make this event a rare occurrence in those networks.
Query
(event.action : "ImportKeyPair" or event.action:"CreateKeyPair") and event.module:aws
New fields required in ECS/data sources for this rule?
Related issues or PRs
References
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstances.html
Example Data