You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892)
* [Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules
This PR is in part a response to the following issues regarding the future of flattened fields in AWS, which we use as an essential part of our ruleset. However, this is also in response to the ongoing ruleset audit. Some of the flattened fields used are not truly necessary for the alert to trigger or can be replaced by a different field. Those changes have been made here and our non_ecs file has been edited to remove the unnecessary fields. Additionally, flattened fields have been removed from highlighted fields, and from investigation guides.
* Update discovery_ec2_userdata_request_for_ec2_instance.toml
updated_date
* Update execution_ssm_sendcommand_by_rare_user.toml
updated_date
* Update non-ecs-schema.json
add necessary field for ModifyInstanceAttribute action
* Update persistence_ec2_security_group_configuration_change_detection.toml
added missing event.action AuthorizeSecurityGroupIngress, narrowed scope for ModifyInstanceAttribute action by adding a necessary flattened_field
* Update privilege_escalation_iam_customer_managed_policy_attached_to_role.toml
updated min_stack_version for new field target.entity.id
* Update privilege_escalation_iam_customer_managed_policy_attached_to_role.toml
* Update privilege_escalation_iam_update_assume_role_policy.toml
updating min_stack to account of target.entity.id field
* Update impact_s3_excessive_object_encryption_with_sse_c.toml
adding highlighted fields
* Update rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml
* Apply suggestions from code review
---------
Co-authored-by: Mika Ayenson, PhD <[email protected]>
Co-authored-by: Ruben Groenewoud <[email protected]>
Copy file name to clipboardExpand all lines: rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml
+23-15Lines changed: 23 additions & 15 deletions
Original file line number
Diff line number
Diff line change
@@ -2,27 +2,19 @@
2
2
creation_date = "2024/04/12"
3
3
integration = ["aws"]
4
4
maturity = "production"
5
-
updated_date = "2025/01/27"
5
+
updated_date = "2025/07/09"
6
6
7
7
[rule]
8
8
author = ["Elastic"]
9
9
description = """
10
-
Detects the first occurrence of a user identity accessing AWS Systems Manager (SSM) SecureString parameters using the
11
-
GetParameter or GetParameters API actions with credentials in the request parameters. This could indicate that the user
12
-
is accessing sensitive information. This rule detects when a user accesses a SecureString parameter with the
13
-
`withDecryption` parameter set to true. This is a
14
-
[NewTerms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that
15
-
detects the first occurrence of a specific AWS ARN accessing SecureString parameters with decryption within the last 10
16
-
days.
10
+
Detects the first occurrence of a user identity accessing AWS Systems Manager (SSM) SecureString parameters using the GetParameter or GetParameters API actions with credentials in the request parameters. This could indicate that the user is accessing sensitive information. This rule detects when a user accesses a SecureString parameter with the withDecryption parameter set to true. This is a New Terms rule that detects the first occurrence of an AWS identity accessing SecureString parameters with decryption.
17
11
"""
18
12
false_positives = [
19
13
"""
20
-
Users may legitimately access AWS Systems Manager (SSM) parameters using the GetParameter, GetParameters, or
21
-
DescribeParameters API actions with credentials in the request parameters. Ensure that the user has a legitimate
22
-
reason to access the parameters and that the credentials are secured.
14
+
Users may legitimately access AWS Systems Manager (SSM) parameters using the GetParameter, GetParameters, or DescribeParameters API actions with credentials in the request parameters. Ensure that the user has a legitimate reason to access the parameters and that the credentials are secured.
23
15
""",
24
16
]
25
-
from = "now-9m"
17
+
from = "now-6m"
26
18
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
27
19
language = "kuery"
28
20
license = "Elastic License v2"
@@ -39,8 +31,8 @@ Adversaries may target SecureStrings to retrieve sensitive information such as e
39
31
#### Possible Investigation Steps
40
32
41
33
- **Review the Access Event**: Identify the specific API call (`GetParameter` or `GetParameters`) that triggered the rule. Examine the `request_parameters` for `withDecryption` set to true and the name of the accessed parameter.
42
-
- **Verify User Identity and Access Context**: Check the `user_identity` details to understand who accessed the parameter and their role within the organization. This includes checking the ARN and access key ID to determine if the access was authorized.
43
-
- **User ID**: Review the `user.id` field to identify the specific user or role that initiated the API call. Note that the ARN associated may be an assumed role and may not directly correspond to a human user.
34
+
- **Verify User Identity and Access Context**: Check the `aws.cloudtrail.user_identity` details to understand who accessed the parameter and their role within the organization. This includes checking the ARN and access key ID to determine if the access was authorized.
35
+
- **User ID**: Review the `user.name` field to identify the specific user or role that initiated the API call. Note that the ARN associated may be an assumed role and may not directly correspond to a human user.
44
36
- **Contextualize with User Behavior**: Assess whether the access pattern fits the user’s normal behavior or job responsibilities. Investigate any out-of-pattern activities around the time of the event.
45
37
- **Analyze Geographic and IP Context**: Using the `source.ip` and `source.geo` information, verify if the request came from a trusted location or if there are any anomalies that suggest a compromised account.
46
38
- **Inspect Related CloudTrail Events**: Look for other related events in CloudTrail to see if there was unusual activity before or after this event, such as unusual login attempts, changes to permissions, or other API calls that could indicate broader unauthorized actions.
Copy file name to clipboardExpand all lines: rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml
+22-13Lines changed: 22 additions & 13 deletions
Original file line number
Diff line number
Diff line change
@@ -2,26 +2,21 @@
2
2
creation_date = "2024/04/16"
3
3
integration = ["aws"]
4
4
maturity = "production"
5
-
updated_date = "2025/01/15"
5
+
updated_date = "2025/07/10"
6
6
7
7
[rule]
8
8
author = ["Elastic"]
9
9
description = """
10
-
Identifies when a specified inbound (ingress) rule is added or adjusted for a VPC security group in AWS EC2. This rule
11
-
detects when a security group rule is added that allows traffic from any IP address or from a specific IP address to
12
-
common remote access ports, such as 22 (SSH) or 3389 (RDP). Adversaries may add these rules to allow remote access to
13
-
VPC instances from any location, increasing the attack surface and potentially exposing the instances to unauthorized
14
-
access.
10
+
Identifies when a specified inbound (ingress) rule is added or adjusted for a VPC security group in AWS EC2. This rule detects when a security group rule is added that allows traffic from any IP address or from a specific IP address to common remote access ports, such as 22 (SSH) or 3389 (RDP). Adversaries may add these rules to allow remote access to VPC instances from any location, increasing the attack surface and potentially exposing the instances to unauthorized access.
15
11
"""
16
12
false_positives = [
17
13
"""
18
-
Administrators may legitimately add security group rules to allow traffic from any IP address or from specific IP
19
-
addresses to common remote access ports.
14
+
Administrators may legitimately add security group rules to allow traffic from any IP address or from specific IP addresses to common remote access ports.
20
15
""",
21
16
]
22
-
from = "now-60m"
17
+
from = "now-6m"
23
18
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
24
-
interval = "10m"
19
+
interval = "5m"
25
20
language = "kuery"
26
21
license = "Elastic License v2"
27
22
name = "Insecure AWS EC2 VPC Security Group Ingress Rule Added"
Copy file name to clipboardExpand all lines: rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml
+3-3Lines changed: 3 additions & 3 deletions
Original file line number
Diff line number
Diff line change
@@ -2,7 +2,7 @@
2
2
creation_date = "2020/07/06"
3
3
integration = ["aws"]
4
4
maturity = "production"
5
-
updated_date = "2025/06/25"
5
+
updated_date = "2025/07/10"
6
6
7
7
[rule]
8
8
author = ["Elastic"]
@@ -29,8 +29,8 @@ This rule detects the execution of commands or scripts on EC2 instances using AW
29
29
#### Possible Investigation Steps
30
30
31
31
- **Identify the Target Instance**:
32
-
- **Instance ID**: Review the `aws.cloudtrail.flattened.request_parameters.instanceIds` field to identify which EC2 instances were targeted by this command. Confirm if these instances are expected to be managed through SSM.
33
-
- **Document Used**: Check the `aws.cloudtrail.flattened.request_parameters.documentName` field, which specifies the document or script being executed. Commands such as `RunShellScript` or `RunPowerShellScript` can indicate interactive sessions or script-based interactions.
32
+
- **Instance ID**: Review the `aws.cloudtrail.request_parameters` field to identify which EC2 instances were targeted by this command. Confirm if these instances are expected to be managed through SSM.
33
+
- **Document Used**: Check the `aws.cloudtrail.request_parameters` field, which specifies the name of the document or script being executed. Commands such as `RunShellScript` or `RunPowerShellScript` can indicate interactive sessions or script-based interactions.
34
34
35
35
- **Review User Context**:
36
36
- **User Identity**: Inspect the `aws.cloudtrail.user_identity.arn` field to determine the user or role executing the `SendCommand`. If this user is not typically involved in EC2 or SSM interactions, this could indicate unauthorized access.
0 commit comments