Rules Contributing to Suspicious Modification of AWS CloudTrail Logs Alert

The following rules are used to identify suspicious activity within AWS Cloudtrail logs. Any one or more of these will trigger Suspicious Modification of AWS CloudTrail Logs Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

AWS CloudTrail Log Updated

Identifies an update to an AWS log trail setting that specifies the delivery of log files.

More details

Rule ID

aws_34

Query

{'selection1': {'eventSource': 'cloudtrail.amazonaws.com'}, 'selection2': {'eventName': 'UpdateTrail'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0009, TA0040, T1530, T1565

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2020/06/10	low	Trail updates may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

Federated user attempting to assume role

A federated user is attempting to assume a role. Federation users enable to manage access to AWS accounts by adding and removing users from the corporate directory, such as Microsoft Active Directory.

More details

Rule ID

aws_110

Query

{'selection1': {'eventSource': 'cloudtrail.amazonaws.com'}, 'selection2': {'errorMessage': 'Roles may not be assumed by federated users'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0004, T1078

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2022/01/05	medium	N/A

AWS Impair Security Services

This analytic looks for several delete specific API calls made to AWS Security Services like CloudWatch, GuardDuty and Web Application Firewalls.

More details

Rule ID

aws_116

Query

{'selection1': {'eventSource': 'cloudtrail.amazonaws.com'}, 'selection2': {'eventName': 'DeleteLogStream'}, 'selection3': {'eventName': 'DeleteDetector'}, 'selection4': {'eventName': 'DeleteIPSet'}, 'selection5': {'eventName': 'DeleteWebACL'}, 'selection6': {'eventName': 'DeleteRule'}, 'selection7': {'eventName': 'DeleteRuleGroup'}, 'selection8': {'eventName': 'DeleteLoggingConfiguration'}, 'selection9': {'eventName': 'DeleteAlarms'}, 'condition': 'selection1 and (selection2 or selection3 or selection4 or selection5 or selection6 or selection7 or selection8 or selection9)'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0005, T1562, T1562.008

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2022-07-26	medium	While this search has no known false positives, it is possible that it is a legitimate admin activity.