Merge branch 'main' into investigation_guide_bedrock

Author: terrancedejesus

rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2024/08/26"
+integration = ["aws"]
 maturity = "production"
-updated_date = "2024/10/09"
+updated_date = "2024/11/04"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml

@@ -0,0 +1,149 @@
+[metadata]
+creation_date = "2024/11/04"
+integration = ["aws"]
+maturity = "production"
+min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully"
+min_stack_version = "8.13.0"
+updated_date = "2024/11/04"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects when a single AWS resource is running multiple `Describe` and `List` API calls in a 10-second window. This
+behavior could indicate an actor attempting to discover the AWS infrastructure using compromised credentials or a
+compromised instance. Adversaries may use this information to identify potential targets for further exploitation or to
+gain a better understanding of the target's infrastructure.
+"""
+false_positives = [
+    """
+    Administrators or automated systems may legitimately perform multiple `Describe` and `List` API calls in a short
+    time frame. Verify the user identity and the purpose of the API calls to determine if the behavior is expected.
+    """,
+]
+from = "now-9m"
+language = "esql"
+license = "Elastic License v2"
+name = "AWS Discovery API Calls via CLI from a Single Resource"
+note = """## Triage and Analysis
+
+### Investigating AWS Discovery API Calls via CLI from a Single Resource
+
+This rule detects multiple discovery-related API calls (`Describe`, `List`, or `Get` actions) within a short time window (30 seconds) from a single AWS resource. High volumes of such calls may indicate attempts to enumerate AWS infrastructure for reconnaissance purposes, which is often a tactic used by adversaries with compromised credentials or unauthorized access.
+
+#### Possible Investigation Steps
+
+- **Identify the Actor and Resource**:
+  - **User Identity and Resource**: Examine `aws.cloudtrail.user_identity.arn` to identify the actor making the discovery requests. Verify the user or resource associated with these actions to ensure they are recognized and expected.
+  - **User Agent and Tooling**: Check `user_agent.name` to confirm whether the `aws-cli` tool was used for these requests. Use of the CLI in an atypical context might indicate unauthorized or automated access.
+
+- **Evaluate the Context and Scope of API Calls**:
+  - **API Action Types**: Look into the specific actions under `event.action` for API calls like `Describe*`, `List*`, or `Get*`. Note if these calls are targeting sensitive services, such as `EC2`, `IAM`, or `S3`, which may suggest an attempt to identify high-value assets.
+  - **Time Pattern Analysis**: Review the `time_window` and `unique_api_count` to assess whether the frequency of these calls is consistent with normal patterns for this resource or user.
+
+- **Analyze Potential Compromise Indicators**:
+  - **Identity Type**: Review `aws.cloudtrail.user_identity.type` to determine if the calls originated from an assumed role, a root user, or a service role. Unusual identity types for discovery operations may suggest misuse or compromise.
+  - **Source IP and Geographic Location**: Examine the `source.ip` and `source.geo` fields to identify any unusual IP addresses or locations associated with the activity, which may help confirm or rule out external access.
+
+- **Examine Related CloudTrail Events**:
+  - **Pivot for Related Events**: Identify any additional IAM or CloudTrail events tied to the same actor ARN. Activities such as `AssumeRole`, `GetSessionToken`, or `CreateAccessKey` in proximity to these discovery calls may signal an attempt to escalate privileges.
+  - **Look for Anomalous Patterns**: Determine if this actor or resource has performed similar discovery actions previously, or if these actions coincide with other alerts related to credential use or privilege escalation.
+
+### False Positive Analysis
+
+- **Expected Discovery Activity**: Regular discovery or enumeration API calls may be conducted by security, automation, or monitoring scripts to maintain an inventory of resources. Validate if this activity aligns with known automation or inventory tasks.
+- **Routine Admin or Automated Access**: If specific roles or resources, such as automation tools or monitoring services, regularly trigger this rule, consider adding exceptions for these known, benign users to reduce false positives.
+
+### Response and Remediation
+
+- **Confirm Authorized Access**: If the discovery activity appears unauthorized, consider immediate steps to restrict the user or resource’s permissions.
+- **Review and Remove Unauthorized API Calls**: If the actor is not authorized to perform discovery actions, investigate and potentially disable their permissions or access keys to prevent further misuse.
+- **Enhance Monitoring for Discovery Patterns**: Consider additional logging or alerting for high-frequency discovery API calls, especially if triggered from new or unrecognized resources.
+- **Policy Review and Updates**: Review IAM policies associated with the actor, ensuring restrictive permissions and MFA enforcement where possible to prevent unauthorized discovery.
+
+### Additional Information
+
+For further guidance on AWS infrastructure discovery and best practices, refer to [AWS CloudTrail documentation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html) and MITRE ATT&CK’s [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580/).
+"""
+references = ["https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/"]
+risk_score = 21
+rule_id = "74f45152-9aee-11ef-b0a5-f661ea17fbcd"
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: AWS EC2",
+    "Data Source: AWS IAM",
+    "Data Source: AWS S3",
+    "Use Case: Threat Detection",
+    "Tactic: Discovery",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-aws.cloudtrail*
+
+// create time window buckets of 10 seconds
+| eval time_window = date_trunc(10 seconds, @timestamp)
+| where
+    event.dataset == "aws.cloudtrail"
+
+    // filter on CloudTrail audit logs for IAM, EC2, and S3 events only
+    and event.provider in (
+      "iam.amazonaws.com",
+      "ec2.amazonaws.com",
+      "s3.amazonaws.com",
+      "rds.amazonaws.com",
+      "lambda.amazonaws.com",
+      "dynamodb.amazonaws.com",
+      "kms.amazonaws.com",
+      "cloudfront.amazonaws.com",
+      "elasticloadbalancing.amazonaws.com",
+      "cloudfront.amazonaws.com"
+    )
+
+    // ignore AWS service actions
+    and aws.cloudtrail.user_identity.type != "AWSService"
+
+    // filter for aws-cli specifically
+    and user_agent.name == "aws-cli"
+
+    // exclude DescribeCapacityReservations events related to AWS Config
+    and not event.action in ("DescribeCapacityReservations")
+
+// filter for Describe, Get, List, and Generate API calls
+| where true in (
+    starts_with(event.action, "Describe"),
+    starts_with(event.action, "Get"),
+    starts_with(event.action, "List"),
+    starts_with(event.action, "Generate")
+)
+// extract owner, identity type, and actor from the ARN
+| dissect aws.cloudtrail.user_identity.arn "%{}::%{owner}:%{identity_type}/%{actor}"
+| where starts_with(actor, "AWSServiceRoleForConfig") != true
+| keep @timestamp, time_window, event.action, aws.cloudtrail.user_identity.arn
+| stats
+    // count the number of unique API calls per time window and actor
+    unique_api_count = count_distinct(event.action) by time_window, aws.cloudtrail.user_identity.arn
+
+// filter for more than 5 unique API calls per time window
+| where unique_api_count > 5
+
+// sort the results by the number of unique API calls in descending order
+| sort unique_api_count desc
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1580"
+name = "Cloud Infrastructure Discovery"
+reference = "https://attack.mitre.org/techniques/T1580/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+

rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml

@@ -0,0 +1,97 @@
+[metadata]
+creation_date = "2024/11/01"
+integration = ["aws"]
+maturity = "production"
+updated_date = "2024/11/01"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when an AWS Systems Manager (SSM) command document is created by a user who does not typically perform this action. Adversaries may create SSM command documents to execute commands on managed instances, potentially leading to unauthorized access, command and control, data exfiltration and more.
+"""
+false_positives = [
+    """
+    Legitimate users may create SSM command documents for legitimate purposes. Ensure that the document is authorized and the user is known before taking action.
+    """,
+]
+from = "now-9m"
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "AWS SSM Command Document Created by Rare User"
+note = """
+## Triage and Analysis
+
+### Investigating AWS SSM Command Document Created by Rare User
+
+This rule identifies when an AWS Systems Manager (SSM) command document is created by a user who does not typically perform this action. Creating SSM command documents can be a legitimate action but may also indicate malicious intent if done by an unusual or compromised user. Adversaries may leverage SSM documents to execute commands on managed instances, potentially leading to unauthorized access, command and control, or data exfiltration.
+
+#### Possible Investigation Steps
+
+- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` field to identify who created the SSM document. Verify if this user typically creates such documents and has the appropriate permissions. It may be unexpected for certain types of users, like assumed roles or federated users, to perform this action.
+- **Analyze the Document Details**:
+  - **Document Name**: Check the `aws.cloudtrail.request_parameters.name` field for the document name to understand its intended purpose.
+  - **Document Content**: If possible, review `aws.cloudtrail.request_parameters.content` for any sensitive or unexpected instructions (e.g., actions for data exfiltration or privilege escalation). If not available via logs, consider reviewing the document in the AWS Management Console.
+- **Contextualize the Activity with Related Events**: Look for other CloudTrail events involving the same user ARN or IP address (`source.address`). Examine actions performed in other AWS services, such as IAM, EC2, or S3, to identify if additional suspicious behavior exists. The `SendCommand` API call may indicate attempts to execute the SSM document on managed instances.
+- **Check Document Status and Metadata**:
+  - **Document Status**: Confirm the document creation status in `aws.cloudtrail.response_elements.documentDescription.status`. A status of `Creating` may indicate that the document is in progress.
+  - **Execution Permissions**: Review if the document specifies `platformTypes` and `documentVersion` in `aws.cloudtrail.response_elements.documentDescription` to understand which environments may be impacted and if multiple versions exist.
+
+### False Positive Analysis
+
+- **Authorized Administrative Actions**: Determine if this document creation aligns with scheduled administrative tasks or actions by authorized personnel.
+- **Historical User Actions**: Compare this action against historical activities for the user to determine if they have a history of creating similar documents, which may indicate legitimate usage.
+
+### Response and Remediation
+
+- **Immediate Document Review and Deletion**: If the document creation is deemed unauthorized, delete the document immediately and check for other similar documents created recently.
+- **Enhance Monitoring and Alerts**: Configure additional monitoring for SSM document creation events, especially when associated with untrusted or rare users.
+- **Policy Update**: Consider restricting SSM document creation permissions to specific, trusted roles or users to prevent unauthorized document creation.
+- **Incident Response**: If the document is confirmed as part of malicious activity, treat this as a security incident. Follow incident response protocols, including containment, investigation, and remediation.
+
+### Additional Information
+
+For further guidance on managing and securing AWS Systems Manager in your environment, refer to the [AWS SSM documentation](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html) and AWS security best practices.
+"""
+references = [
+    "https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreateDocument.html",
+    "https://docs.aws.amazon.com/systems-manager/latest/userguide/documents.html"
+]
+risk_score = 21
+rule_id = "50a2bdea-9876-11ef-89db-f661ea17fbcd"
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS SNS",
+    "Data Source: AWS Systems Manager",
+    "Resources: Investigation Guide",
+    "Use Case: Threat Detection",
+    "Tactic: Execution"
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset: "aws.cloudtrail"
+    and event.provider: "ssm.amazonaws.com"
+    and event.action: "CreateDocument"
+    and event.outcome: "success"
+    and aws.cloudtrail.response_elements: *documentType=Command*
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["aws.cloudtrail.user_identity.arn"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"

rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml

@@ -0,0 +1,103 @@
+[metadata]
+creation_date = "2024/11/01"
+integration = ["aws"]
+maturity = "production"
+updated_date = "2024/11/01"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when an SNS topic is subscribed to by an email address of a user who does not typically perform this action.
+Adversaries may subscribe to an SNS topic to collect sensitive information or exfiltrate data via an external email
+address.
+"""
+false_positives = [
+    """
+    Legitimate users may subscribe to SNS topics for legitimate purposes. Ensure that the subscription is authorized and
+    the subscription email address is known before taking action.
+    """,
+]
+from = "now-9m"
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "AWS SNS Email Subscription by Rare User"
+note = """## Triage and Analysis
+
+### Investigating AWS SNS Email Subscription by Rare User
+
+This rule identifies when an SNS topic is subscribed to by an email address of a user who does not typically perform this action. While subscribing to SNS topics is a common practice, adversaries may exploit this feature to collect sensitive information or exfiltrate data via an external email address.
+
+#### Possible Investigation Steps
+
+- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` field to identify the user who requested the subscription. Verify if this actor typically performs such actions and has the necessary permissions. It may be unusual for this activity to originate from certain user types, such as an assumed role or federated user.
+- **Review the SNS Subscription Event**: Analyze the specifics of the `Subscribe` action in CloudTrail logs:
+  - **Topic**: Look at the `aws.cloudtrail.request_parameters.topicArn` field to identify the SNS topic involved in the subscription.
+  - **Protocol and Endpoint**: Review the `aws.cloudtrail.request_parameters.protocol` and `aws.cloudtrail.request_parameters.endpoint` fields to confirm the subscription's protocol and email address. Confirm if this endpoint is associated with a known or trusted entity.
+  - **Subscription Status**: Check the `aws.cloudtrail.response_elements.subscriptionArn` field for the subscription's current status, noting if it requires confirmation.
+- **Verify Authorization**: Evaluate whether the user typically engages in SNS subscription actions and if they are authorized to do so for the specified topic.
+- **Contextualize with Related Events**: Review related CloudTrail logs around the event time for other actions by the same user or IP address. Look for activities involving other AWS services, such as S3 or IAM, that may indicate further suspicious behavior.
+- **Evaluate the Subscription Endpoint**: Determine whether the email endpoint is legitimate or associated with any known entity. This may require checking internal documentation or reaching out to relevant AWS account administrators.
+- **Check for Publish Actions**: Investigate for any subsequent `Publish` actions on the same SNS topic that may indicate exfiltration attempts or data leakage. If Publish actions are detected, further investigate the contents of the messages.
+- **Review IAM Policies**: Examine the user or role's IAM policies to ensure that the subscription action is within the scope of their permissions or should be.
+
+### False Positive Analysis
+
+- **Historical User Actions**: Verify if the user has a history of performing similar actions on SNS topics. Consistent, repetitive actions may suggest legitimate usage.
+- **Scheduled or Automated Tasks**: Confirm if the subscription action aligns with scheduled tasks or automated notifications authorized by your organization.
+
+### Response and Remediation
+
+- **Immediate Review and Reversal**: If the subscription was unauthorized, take appropriate action to cancel it and adjust SNS permissions as necessary.
+- **Strengthen Monitoring and Alerts**: Configure monitoring systems to flag similar actions involving sensitive topics or unapproved endpoints.
+- **Policy Review**: Review and update policies related to SNS subscriptions and access, tightening control as needed to prevent unauthorized subscriptions.
+- **Incident Response**: If there is evidence of malicious intent, treat the event as a potential data exfiltration incident and follow incident response protocols, including further investigation, containment, and recovery.
+
+### Additional Information
+
+For further guidance on managing and securing SNS topics in AWS environments, refer to the [AWS SNS documentation](https://docs.aws.amazon.com/sns/latest/dg/welcome.html) and AWS best practices for security.
+
+"""
+references = ["https://docs.aws.amazon.com/sns/latest/api/API_Subscribe.html"]
+risk_score = 21
+rule_id = "3df49ff6-985d-11ef-88a1-f661ea17fbcd"
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS SNS",
+    "Resources: Investigation Guide",
+    "Use Case: Threat Detection",
+    "Tactic: Exfiltration",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset: "aws.cloudtrail"
+    and event.provider: "sns.amazonaws.com"
+    and event.action: "Subscribe"
+    and aws.cloudtrail.request_parameters: *protocol=email*
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1567"
+name = "Exfiltration Over Web Service"
+reference = "https://attack.mitre.org/techniques/T1567/"
+
+
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["aws.cloudtrail.user_identity.arn"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"