forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
defense_evasion_s3_bucket_configuration_deletion.toml
66 lines (58 loc) · 2.21 KB
/
defense_evasion_s3_bucket_configuration_deletion.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
[metadata]
creation_date = "2020/05/27"
integration = ["aws"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = "Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components."
false_positives = [
"""
Bucket components may be deleted by a system or network administrator. Verify whether the user identity, user agent,
and/or hostname should be making changes in your environment. Bucket component deletions by unfamiliar users or
hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-60m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS S3 Bucket Configuration Deletion"
note = """## Setup
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html",
"https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html",
"https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html",
"https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html",
"https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html",
]
risk_score = 21
rule_id = "227dc608-e558-43d9-b521-150772250bae"
severity = "low"
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Use Case: Asset Visibility",
"Tactic: Defense Evasion",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and
event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or
DeleteBucketEncryption or DeleteBucketLifecycle)
and event.outcome:success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1070"
name = "Indicator Removal"
reference = "https://attack.mitre.org/techniques/T1070/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"