SigmaHQ/rules/cloud/aws_guardduty_disruption.yml

24 lines
763 B
YAML
Raw Normal View History

title: AWS GuardDuty Important Change
id: 6e61ee20-ce00-4f8d-8aee-bedd8216f7e3
status: experimental
2020-09-14 04:03:04 +00:00
description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
author: faloker
date: 2020/02/11
references:
2020-02-12 20:48:46 +00:00
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/guardduty__whitelist_ip/main.py#L9
logsource:
2020-02-12 20:48:46 +00:00
service: cloudtrail
detection:
2020-02-12 20:48:46 +00:00
selection_source:
- eventSource: guardduty.amazonaws.com
selection_eventName:
- eventName: CreateIPSet
condition: all of them
falsepositives:
- Valid change in the GuardDuty (e.g. to ignore internal scanners)
2020-09-14 04:03:04 +00:00
level: high
tags:
2020-07-18 01:42:10 +00:00
- attack.defense_evasion
2020-06-16 20:46:08 +00:00
- attack.t1562.001
- attack.t1089 # an old one