diff --git a/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml b/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml index a7733c8b473..6b645d1ed42 100644 --- a/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml +++ b/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/17" integration = ["aws"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2025/12/16" [rule] author = ["Elastic"] @@ -181,6 +181,6 @@ field = "new_terms_fields" value = ["source.address", "tls.client.server_name"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" +value = "now-5d" diff --git a/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml index b3817493bf7..4524daa3597 100644 --- a/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml +++ b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml @@ -2,17 +2,17 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -updated_date = "2025/12/12" +updated_date = "2025/12/16" [rule] author = ["Nick Jones", "Elastic"] description = """ An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time -a specific user identity has programmatically retrieved a secret value from Secrets Manager using the `GetSecretValue` -or `BatchGetSecretValue` actions. This rule assumes that AWS services such as Lambda functions and EC2 instances are -setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An -adversary with access to a compromised AWS service would rely on its' attached role to access the secrets in Secrets Manager. +a specific user identity has programmatically retrieved a secret value from Secrets Manager using the GetSecretValue +action. This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with IAM role's +assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with access to a +compromised AWS service would rely on its' attached role to access the secrets in Secrets Manager. """ false_positives = [ """ @@ -22,7 +22,6 @@ false_positives = [ ] from = "now-6m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] -interval = "5m" language = "kuery" license = "Elastic License v2" name = "First Time Seen AWS Secret Value Accessed in Secrets Manager" @@ -32,7 +31,7 @@ note = """## Triage and analysis AWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. -This rule looks for the retrieval of credentials from Secrets Manager using `GetSecretValue` or `BatchGetSecretValue` API calls. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a secret value from Secrets Manager. +This rule looks for the retrieval of credentials from Secrets Manager using `GetSecretValue` API calls. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a secret value from Secrets Manager. #### Possible investigation steps @@ -95,26 +94,12 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and - event.action: (GetSecretValue or BatchGetSecretValue) and event.outcome:success and - not user_agent.name: ("Chrome" or "Firefox" or "Safari" or "Edge" or "Brave" or "Opera" or "Boto3") +event.dataset: aws.cloudtrail + and event.provider: secretsmanager.amazonaws.com + and event.action: GetSecretValue + and event.outcome: success ''' -[rule.investigation_fields] -field_names = [ - "@timestamp", - "user.name", - "user_agent.original", - "source.ip", - "aws.cloudtrail.user_identity.arn", - "aws.cloudtrail.user_identity.type", - "aws.cloudtrail.user_identity.access_key_id", - "event.action", - "event.outcome", - "cloud.account.id", - "cloud.region", - "aws.cloudtrail.request_parameters" -] [[rule.threat]] framework = "MITRE ATT&CK" @@ -134,11 +119,27 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", +] + [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-10d" +value = "now-5d" diff --git a/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml b/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml index e646464c6fb..aabb31b6db8 100644 --- a/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml +++ b/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/12" integration = ["aws"] maturity = "production" -updated_date = "2025/07/09" +updated_date = "2025/12/16" [rule] author = ["Elastic"] @@ -125,4 +125,4 @@ field = "new_terms_fields" value = ["cloud.account.id", "user.name"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-10d" +value = "now-5d" diff --git a/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml b/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml index b36fc9ab44e..07be3b05e01 100644 --- a/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml +++ b/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/14" integration = ["aws"] maturity = "production" -updated_date = "2025/07/10" +updated_date = "2025/12/16" [rule] author = ["Elastic"] @@ -13,7 +13,6 @@ gather sensitive data from the instance such as hardcoded credentials or to iden a New Terms rule that identifies the first time an IAM user or role requests the user data for a specific EC2 instance. """ from = "now-6m" -interval = "5m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" @@ -91,7 +90,10 @@ event.dataset: "aws.cloudtrail" and aws.cloudtrail.flattened.request_parameters.attribute: "userData" and not aws.cloudtrail.user_identity.invoked_by: ( "AWS Internal" or - "cloudformation.amazonaws.com" + "cloudformation.amazonaws.com" or + "aidevops.amazonaws.com" or + "elasticmapreduce.amazonaws.com" or + "aiops.amazonaws.com" ) ''' @@ -147,6 +149,6 @@ field = "new_terms_fields" value = ["cloud.account.id", "user.name", "aws.cloudtrail.flattened.request_parameters.instanceId"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" +value = "now-5d" diff --git a/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml b/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml index ac8cbf37a26..e3eda01f101 100644 --- a/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml +++ b/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/01" integration = ["aws"] maturity = "production" -updated_date = "2025/09/09" +updated_date = "2025/12/16" [rule] author = ["Elastic"] @@ -150,6 +150,6 @@ field = "new_terms_fields" value = ["cloud.account.id", "user.name", "aws.cloudtrail.flattened.request_parameters.protocol"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" +value = "now-7d" diff --git a/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml b/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml index 4d5f1027bf2..82747595dbe 100644 --- a/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml +++ b/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/15" integration = ["aws"] maturity = "production" -updated_date = "2025/07/10" +updated_date = "2025/12/16" [rule] author = ["Elastic"] @@ -138,6 +138,6 @@ field = "new_terms_fields" value = ["cloud.account.id", "user.name", "tls.client.server_name"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" +value = "now-7d" diff --git a/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml b/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml index abd3df3748c..75ed2fbac87 100644 --- a/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml +++ b/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["aws"] maturity = "production" -updated_date = "2025/11/12" +updated_date = "2025/12/16" [rule] author = ["Elastic"] @@ -168,6 +168,6 @@ field = "new_terms_fields" value = ["aws.cloudtrail.user_identity.arn"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" +value = "now-7d" diff --git a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml index 7be062bf26f..39f51c42bc2 100644 --- a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml +++ b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["aws"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2025/12/16" [rule] author = ["Elastic"] @@ -135,6 +135,6 @@ field = "new_terms_fields" value = ["cloud.account.id", "user.name", "target.entity.id"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" +value = "now-7d" diff --git a/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml b/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml index e67ffb02b1e..44fd3f24840 100644 --- a/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml +++ b/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2025/12/16" [rule] author = ["Elastic"] @@ -21,7 +21,6 @@ false_positives = [ ] from = "now-6m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] -interval = "5m" language = "kuery" license = "Elastic License v2" name = "AWS IAM Assume Role Policy Update" @@ -90,7 +89,6 @@ event.dataset: "aws.cloudtrail" and event.provider: "iam.amazonaws.com" and event.action: "UpdateAssumeRolePolicy" and event.outcome: "success" - and not source.address: "cloudformation.amazonaws.com" ''' @@ -134,6 +132,6 @@ field = "new_terms_fields" value = ["cloud.account.id", "user.name", "target.entity.id"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" +value = "now-7d" diff --git a/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml b/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml index bdb84fc1be3..c65c86306e6 100644 --- a/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml +++ b/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml @@ -2,18 +2,25 @@ creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -updated_date = "2025/06/18" +updated_date = "2025/12/16" [rule] author = ["Elastic", "Austin Songer"] description = """ -Identifies when a service has assumed a role in AWS Security Token Service (STS). Services can assume a role to obtain temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege escalation. This is a New Terms rule that identifies when a service assumes a role in AWS Security Token Service (STS) to obtain temporary credentials and access AWS resources. While often legitimate, adversaries may use this technique for unauthorized access, privilege escalation, or lateral movement within an AWS environment. +Identifies when a service has assumed a role in AWS Security Token Service (STS). Services can assume a role to obtain +temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege +escalation. This is a New Terms rule that identifies when a service assumes a role in AWS Security Token Service (STS) +to obtain temporary credentials and access AWS resources. While often legitimate, adversaries may use this technique for +unauthorized access, privilege escalation, or lateral movement within an AWS environment. """ false_positives = [ - "AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes. AWS services might assume roles to access AWS resources as part of their standard operations. Automated workflows might assume roles to perform periodic tasks such as data backups, updates, or deployments.", + """ + AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes. AWS + services might assume roles to access AWS resources as part of their standard operations. Automated workflows might + assume roles to perform periodic tasks such as data backups, updates, or deployments. + """, ] from = "now-6m" -interval = "5m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" @@ -99,24 +106,6 @@ event.dataset: "aws.cloudtrail" "autoscaling.amazonaws.com") ''' -[rule.investigation_fields] -field_names = [ - "@timestamp", - "source.address", - "user_agent.original", - "aws.cloudtrail.user_identity.invoked_by", - "aws.cloudtrail.user_identity.type", - "aws.cloudtrail.flattened.response_elements.credentials.accessKeyId", - "event.action", - "event.outcome", - "aws.cloudtrail.resources.arn", - "aws.cloudtrail.resources.type", - "aws.cloudtrail.flattened.request_parameters.roleSessionName", - "cloud.region", - "cloud.account.id", - "aws.cloudtrail.request_parameters", - "aws.cloudtrail.response_elements" -] [[rule.threat]] framework = "MITRE ATT&CK" @@ -148,11 +137,30 @@ id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[rule.investigation_fields] +field_names = [ + "@timestamp", + "source.address", + "user_agent.original", + "aws.cloudtrail.user_identity.invoked_by", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.flattened.response_elements.credentials.accessKeyId", + "event.action", + "event.outcome", + "aws.cloudtrail.resources.arn", + "aws.cloudtrail.resources.type", + "aws.cloudtrail.flattened.request_parameters.roleSessionName", + "cloud.region", + "cloud.account.id", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements", +] + [rule.new_terms] field = "new_terms_fields" value = ["aws.cloudtrail.user_identity.invoked_by", "aws.cloudtrail.resources.arn"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-10d" +value = "now-5d" diff --git a/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml b/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml index 0c145d72923..bf5632113dd 100644 --- a/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml +++ b/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml @@ -2,18 +2,25 @@ creation_date = "2024/11/05" integration = ["aws"] maturity = "production" -updated_date = "2025/06/18" +updated_date = "2025/12/16" [rule] author = ["Elastic"] description = """ -Identifies when a user or role has assumed a role in AWS Security Token Service (STS). Users can assume a role to obtain temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege escalation. This is a New Terms rule that identifies when a service assumes a role in AWS Security Token Service (STS) to obtain temporary credentials and access AWS resources. While often legitimate, adversaries may use this technique for unauthorized access, privilege escalation, or lateral movement within an AWS environment. +Identifies when a user or role has assumed a role in AWS Security Token Service (STS). Users can assume a role to obtain +temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege +escalation. This is a New Terms rule that identifies when a service assumes a role in AWS Security Token Service (STS) +to obtain temporary credentials and access AWS resources. While often legitimate, adversaries may use this technique for +unauthorized access, privilege escalation, or lateral movement within an AWS environment. """ false_positives = [ - "AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes. Applications integrated with AWS might assume roles to access AWS resources. Automated workflows might assume roles to perform periodic tasks such as data backups, updates, or deployments.", + """ + AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes. + Applications integrated with AWS might assume roles to access AWS resources. Automated workflows might assume roles + to perform periodic tasks such as data backups, updates, or deployments. + """, ] from = "now-6m" -interval = "5m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" @@ -85,26 +92,6 @@ event.dataset: "aws.cloudtrail" and aws.cloudtrail.user_identity.type: ("AssumedRole" or "IAMUser") ''' -[rule.investigation_fields] -field_names = [ - "@timestamp", - "user.name", - "user_agent.original", - "source.ip", - "aws.cloudtrail.user_identity.arn", - "aws.cloudtrail.user_identity.type", - "aws.cloudtrail.user_identity.access_key_id", - "event.action", - "event.outcome", - "aws.cloudtrail.resources.arn", - "aws.cloudtrail.resources.type", - "aws.cloudtrail.flattened.request_parameters.roleSessionName", - "aws.cloudtrail.flattened.response_elements.credentials.accessKeyId", - "cloud.region", - "cloud.account.id", - "aws.cloudtrail.request_parameters", - "aws.cloudtrail.response_elements" -] [[rule.threat]] framework = "MITRE ATT&CK" @@ -136,11 +123,32 @@ id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.outcome", + "aws.cloudtrail.resources.arn", + "aws.cloudtrail.resources.type", + "aws.cloudtrail.flattened.request_parameters.roleSessionName", + "aws.cloudtrail.flattened.response_elements.credentials.accessKeyId", + "cloud.region", + "cloud.account.id", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements", +] + [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name", "aws.cloudtrail.resources.arn"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-10d" +value = "now-5d"