[Tuning] First Time AWS Cloudformation Stack Creation by User (#5036)

* [Tuning] First Time AWS Cloudformation Stack Creation by User

- corrected a creation_date error
- Removed `CreateStackSet` API call as this only creates a blueprint for creating stack instances across multiple AWS accounts and regions but does not actually create the resources
- Added `CreateStackInstances` API call which is used to create resources defined in the StackSet
- removed user from rule name as this also triggers for roles
- edited description and investigation guide
- added Mitre technique

* adding highlighted fields

(cherry picked from commit 4cde57d)

Author: imays11

rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml

@@ -1,21 +1,17 @@
 [metadata]
-creation_date = "2020/07/25"
+creation_date = "2024/07/25"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/08/27"
 
 [rule]
 author = ["Elastic"]
 description = """
-This rule detects the first time a principal calls AWS Cloudwatch `CreateStack` or `CreateStackSet` API. Cloudformation
-is used to create a single collection of cloud resources called a stack, via a defined template file. An attacker with
-the appropriate privileges could leverage Cloudformation to create specific resources needed to further exploit the
-environment. This is a new terms rule that looks for the first instance of this behavior in the last 10 days for a role
-or IAM user within a particular account.
+This rule detects the first time a principal calls AWS CloudFormation CreateStack, CreateStackSet or CreateStackInstances API. CloudFormation is used to create a collection of cloud resources called a stack, via a defined template file. An attacker with the appropriate privileges could leverage CloudFormation to create specific resources needed to further exploit the environment. This is a new terms rule that looks for the first instance of this behavior for a role or IAM user within a particular account.
 """
 false_positives = [
     """
-    Verify whether the user identity should be using the `CreateStack` or `CreateStackSet` APIs. If known behavior is
+    Verify whether the user identity should be using the triggered API. If known behavior is
     causing false positives, it can be exempted from the rule. The "history_window_start" value can be modified to
     reflect the expected frequency of known activity within a particular environment.
     """,
@@ -24,12 +20,10 @@ from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "First Time AWS Cloudformation Stack Creation by User"
+name = "First Time AWS CloudFormation Stack Creation"
 references = [
-    "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-cli-creating-stack.html/",
-    "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html/",
-    "https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html/",
-    "https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStackSet.html/",
+    "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html",
+    "https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html",
 ]
 risk_score = 47
 rule_id = "0415258b-a7b2-48a6-891a-3367cd9d4d31"
@@ -38,7 +32,7 @@ tags = [
     "Domain: Cloud",
     "Data Source: AWS",
     "Data Source: Amazon Web Services",
-    "Data Source: Cloudformation",
+    "Data Source: CloudFormation",
     "Use Case: Asset Visibility",
     "Tactic: Execution",
     "Resources: Investigation Guide",
@@ -48,23 +42,24 @@ type = "new_terms"
 
 query = '''
 event.dataset:aws.cloudtrail and event.provider:cloudformation.amazonaws.com and
-    event.action: (CreateStack or CreateStackSet) and event.outcome:success
+    event.action: (CreateStack or CreateStackInstances) 
+    and event.outcome:success
 '''
 note = """## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating First Time AWS Cloudformation Stack Creation by User
+### Investigating First Time AWS CloudFormation Stack Creation
 
-AWS CloudFormation automates the setup of cloud resources using templates, streamlining infrastructure management. Adversaries with access can exploit this to deploy malicious resources, escalating their control. The detection rule identifies unusual activity by flagging the initial use of stack creation APIs by a user, helping to spot potential unauthorized actions early.
+AWS CloudFormation automates the setup of cloud resources using templates, streamlining infrastructure management. Adversaries with access can exploit this to deploy malicious resources, escalating their control. The detection rule identifies unusual activity by flagging the initial use of stack creation APIs by a user or role, helping to spot potential unauthorized actions early.
 
 ### Possible investigation steps
 
-- Review the CloudTrail logs for the specific event.dataset:aws.cloudtrail and event.provider:cloudformation.amazonaws.com to identify the user or role that initiated the CreateStack or CreateStackSet action.
+- Review `aws.cloudtrail.user_identity.arn` to identify the user or role that initiated the `CreateStack` or `CreateStackInstances` action.
 - Verify the IAM permissions of the user or role involved in the event to ensure they have the appropriate level of access and determine if the action aligns with their typical responsibilities.
-- Examine the stack template used in the CreateStack or CreateStackSet action to identify any unusual or unauthorized resources being provisioned.
-- Check the event.outcome:success field to confirm the stack creation was successful and investigate any related resources that were deployed as part of the stack.
+- Examine the stack template used to identify any unusual or unauthorized resources being provisioned.
+- Investigate any related resources that were deployed as part of the stack.
 - Correlate the timing of the stack creation with other logs or alerts to identify any suspicious activity or patterns that might indicate malicious intent.
 - Investigate the account's recent activity history to determine if there have been any other first-time or unusual actions by the same user or role.
 
@@ -78,18 +73,37 @@ AWS CloudFormation automates the setup of cloud resources using templates, strea
 
 ### Response and remediation
 
-- Immediately isolate the IAM user or role that initiated the stack creation to prevent further unauthorized actions. This can be done by revoking permissions or disabling the account temporarily.
-- Review the created stack and stack set for any unauthorized or suspicious resources. Identify and terminate any resources that are not part of the expected infrastructure.
+- Immediately isolate the IAM user or role that initiated the stack creation to prevent further unauthorized actions. This can be done by revoking permissions with a [DenyAll](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDenyAll.html) permissions policy or disabling the account temporarily.
+- Review the created stack for any unauthorized or suspicious resources. Identify and terminate any resources that are not part of the expected infrastructure.
 - Conduct a thorough audit of recent IAM activity to identify any other unusual or unauthorized actions that may indicate further compromise.
 - If malicious activity is confirmed, escalate the incident to the security operations team for a full investigation and potential involvement of incident response teams.
 - Implement additional monitoring and alerting for the affected account to detect any further unauthorized attempts to use CloudFormation or other critical AWS services.
-- Review and tighten IAM policies and permissions to ensure that only necessary privileges are granted, reducing the risk of exploitation by adversaries.
-- Consider enabling AWS CloudTrail logging and AWS Config rules to maintain a detailed record of all API activity and configuration changes for ongoing monitoring and compliance."""
-
+- Review and tighten IAM policies and permissions to ensure that only necessary privileges are granted, reducing the risk of exploitation by adversaries."""
+
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+    "aws.cloudtrail.response_elements"
+]
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
+[[rule.threat.technique]]
+id = "T1648"
+name = "Serverless Execution"
+reference = "https://attack.mitre.org/techniques/T1648/"
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"