New Rule Request
MITRE ATT&CK techniques and tactics:
- T1078.004 – Initial Access / Valid Accounts: Cloud Accounts
- T1098, T1098.004 – Persistence / Account Manipulation
- T1110.001, T1110.003 – Credential Access / Brute Force
- T1537, T1535 – Exfiltration / Data Transfer to Cloud Account
- T1552.005 – Credential Access / Cloud Instance Metadata API
- T1562.001, T1562.008 – Defense Evasion / Impair Defenses
- T1556 – Credential Access / Modify Authentication Process
- T1485, T1531 – Impact / Data Destruction / Account Access Removal
Data sources needed: AWS CloudTrail via filebeat or Elastic Agent (logs-aws.cloudtrail-*)
ECS fields: All rules use standard ECS fields (event.provider, event.action, event.outcome, source.ip, aws.cloudtrail.*)
Detection approach: Behavior-based — detects specific API calls indicating privilege escalation, defense evasion, credential access, and impact across 15 scenarios not currently covered in elastic/detection-rules for AWS.
Rules included: Console login without MFA, EC2 IMDSv1 enabled, IAM Identity Center permission set modification, IAM login profile reset by another principal, Macie/Inspector disabled, console brute force by IP and by user, EC2 key pair import, VPC peering to external account, SAML provider deleted, OIDC provider modified, DynamoDB table/backup deleted, new region enabled, account closed, LeaveOrganization.
New Rule Request
MITRE ATT&CK techniques and tactics:
Data sources needed: AWS CloudTrail via filebeat or Elastic Agent (logs-aws.cloudtrail-*)
ECS fields: All rules use standard ECS fields (event.provider, event.action, event.outcome, source.ip, aws.cloudtrail.*)
Detection approach: Behavior-based — detects specific API calls indicating privilege escalation, defense evasion, credential access, and impact across 15 scenarios not currently covered in elastic/detection-rules for AWS.
Rules included: Console login without MFA, EC2 IMDSv1 enabled, IAM Identity Center permission set modification, IAM login profile reset by another principal, Macie/Inspector disabled, console brute force by IP and by user, EC2 key pair import, VPC peering to external account, SAML provider deleted, OIDC provider modified, DynamoDB table/backup deleted, new region enabled, account closed, LeaveOrganization.