Rules Contributing to Suspicious Modification of AWS Route Table Alert

The following rules are used to identify suspicious activity related to modification of AWS Route Table. Any one or more of these will trigger Suspicious Modification of AWS Route Table Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

AWS Route Table Created

Identifies when an AWS Route Table has been created.

Rule ID

aws_18

Query

{'selection1': {'eventSource': 'cloudtrail.amazonaws.com'}, 'selection2': {'eventName': ['CreateRoute', 'CreateRouteTable']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0003, T1098

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2021/06/05 low

  • Route Tables may be created by a system or network administrators. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table creation by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Automated processes that use Terraform may lead to false positives.

AWS Route Table Modified or Deleted

Identifies when an AWS Route Table has been modified or deleted.

Rule ID

aws_29

Query

{'selection1': {'eventSource': 'cloudtrail.amazonaws.com'}, 'selection2': {'eventName': ['ReplaceRoute', 'ReplaceRouteTableAssociation', 'DeleteRouteTable', 'DeleteRoute', 'DisassociateRouteTable']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0003, T1098

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2021/06/05 low

  • Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table being modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Also automated processes that use Terraform may lead to false positives.