valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Create aws_s3_data_management_tampering.yml

Browse Source
This commit is contained in:
Austin Songer 2021-07-24 11:09:31 -05:00 committed by GitHub
parent 7cacc57313
commit d7303ed7b2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 39 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
rules/aws_s3_data_management_tampering.yml Normal file
View File

@ -0,0 +1,39 @@
title: AWS S3 Data Management Tamperin
id: 78b3756a-7804-4ef7-8555-7b9024a02e2d
description: Detects when a user tampers with S3 data management in Amazon Web Services.
author: Elastic, Austin Songer
status: experimental
date: 2021/07/24
references:
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: iam.amazonaws.com
selection_eventname1:
- eventName: PutBucketLogging
selection_eventname2:
- eventName: PutBucketWebsite
selection_eventname3:
- eventName: PutEncryptionConfiguration
selection_eventname4:
- eventName: PutLifecycleConfiguration
selection_eventname5:
- eventName: PutReplicationConfiguration
selection_eventname6:
- eventName: ReplicateObject
selection_eventname7:
- eventName: RestoreObject
condition: selection_source and selection_eventname1 or selection_eventname2 or selection_eventname3 or selection_eventname4 or selection_eventname5 or selection_eventname6 or selection_eventname7
level: low
tags:
- attack.exfiltration
- attack.t1537
falsepositives:
- A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.