You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This rule is triggering as expected with moderate telemetry volume (high spikes for what looks like expected cleanup jobs) in specific cluster. No changes needed to the rule query.
- updated description, FP and IG
- reduced execution window
- updated highlighted fields
Copy file name to clipboardExpand all lines: rules/integrations/aws/defense_evasion_sqs_purge_queue.toml
+52-85Lines changed: 52 additions & 85 deletions
Original file line number
Diff line number
Diff line change
@@ -2,19 +2,23 @@
2
2
creation_date = "2025/01/08"
3
3
integration = ["aws"]
4
4
maturity = "production"
5
-
updated_date = "2025/01/15"
5
+
updated_date = "2025/12/12"
6
6
7
7
[rule]
8
8
author = ["Elastic"]
9
9
description = """
10
-
Identifies when an AWS Simple Queue Service (SQS) queue is purged. Adversaries may purge SQS queues to disrupt
11
-
operations, delete messages, or impair monitoring and alerting mechanisms. This action can be used to evade detection
12
-
and cover tracks by removing evidence of malicious activities.
10
+
Identifies when an AWS Simple Queue Service (SQS) queue is purged. Purging an SQS queue permanently deletes all messages
11
+
currently in the queue. Adversaries may use this action to disrupt application workflows, destroy operational data, or
12
+
impair monitoring and alerting by removing messages that contain evidence of malicious activity.
13
13
"""
14
14
false_positives = [
15
-
"Administrators may purge SQS queues for legitimate reasons, such as removing outdated or sensitive data.",
15
+
"""
16
+
Authorized administrators or automated workflows may purge SQS queues for legitimate operational reasons, such as
17
+
clearing stale messages, resetting test environments, or performing approved maintenance. Verify that the action
18
+
aligns with documented procedures and expected operational behavior.
19
+
""",
16
20
]
17
-
from = "now-9m"
21
+
from = "now-6m"
18
22
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
19
23
language = "kuery"
20
24
license = "Elastic License v2"
@@ -26,82 +30,47 @@ note = """## Triage and analysis
26
30
27
31
### Investigating AWS SQS Queue Purge
28
32
29
-
AWS Simple Queue Service (SQS) is a managed message queuing service that enables decoupling and scaling of microservices, distributed systems, and serverless applications. Adversaries may exploit SQS by purging queues to erase messages, disrupt operations, or hinder monitoring. The detection rule identifies successful purge actions in AWS CloudTrail logs, signaling potential defense evasion attempts by adversaries.
33
+
AWS SQS is a managed message queuing service commonly used to decouple services and buffer events across distributed and serverless architectures. Purging a queue removes all pending messages and cannot be undone. While this may be required for maintenance or testing, adversaries may abuse this action to disrupt operations, delete forensic evidence, or evade detection by removing queued security or audit events.
30
34
31
35
### Possible investigation steps
32
36
33
-
- Review the AWS CloudTrail logs for the specific event.provider "sqs.amazonaws.com" and event.action "PurgeQueue" to identify the time and source of the purge action.
34
-
- Identify the IAM user or role associated with the purge action by examining the user identity information in the CloudTrail logs to determine if the action was authorized or potentially malicious.
35
-
- Check the event.outcome "success" to confirm that the purge action was completed successfully and assess the impact on the queue's message data.
36
-
- Investigate the context around the purge event by reviewing preceding and subsequent CloudTrail logs to identify any related or suspicious activities, such as unauthorized access attempts or changes to IAM policies.
37
-
- Assess the potential impact on operations and monitoring by determining which messages were purged and if they contained critical or sensitive information.
38
-
- Evaluate the necessity of implementing additional security measures, such as stricter IAM policies or enhanced logging and alerting, to prevent unauthorized queue purges in the future.
37
+
**Identify the actor**
38
+
- Review `aws.cloudtrail.user_identity.arn` and `access_key_id` to determine who initiated the purge. Confirm whether this identity typically manages SQS resources and whether the action aligns with their role.
39
39
40
-
### False positive analysis
41
-
42
-
- Routine maintenance activities by administrators may trigger the purge action. To handle this, identify and whitelist known maintenance operations or specific IAM roles used by trusted personnel.
43
-
- Automated scripts or applications that regularly purge queues as part of their normal operation can cause false positives. Review and document these processes, then create exceptions for these specific actions in your monitoring system.
44
-
- Testing environments where queues are frequently purged for development purposes can lead to alerts. Exclude these environments from the rule by filtering based on environment tags or specific queue names.
45
-
- Scheduled tasks that include queue purging as a cleanup mechanism might be misinterpreted as malicious. Ensure these tasks are logged and approved, and adjust the detection rule to ignore these scheduled events.
46
-
- Third-party integrations that manage SQS queues and perform purges as part of their functionality should be assessed. Verify the legitimacy of these integrations and exclude their actions from triggering alerts.
47
-
48
-
### Response and remediation
49
-
50
-
- Immediately isolate the affected AWS SQS queue to prevent further unauthorized purging or access. This can be done by modifying the queue's access policies to restrict permissions temporarily.
51
-
- Review AWS CloudTrail logs to identify the source of the purge action, including the IAM user or role responsible, and assess whether the action was authorized or part of a larger malicious activity.
52
-
- Revoke or adjust permissions for the identified IAM user or role to prevent further unauthorized actions. Ensure that only necessary permissions are granted following the principle of least privilege.
53
-
- Restore any critical messages or data that were purged, if possible, from backups or other data recovery solutions to minimize operational disruption.
54
-
- Notify the security team and relevant stakeholders about the incident, providing details of the purge action and any identified malicious activity, to ensure coordinated response efforts.
55
-
- Conduct a thorough review of IAM policies and access controls related to SQS to identify and remediate any potential security gaps that could be exploited in the future.
56
-
- Enhance monitoring and alerting mechanisms for AWS SQS by implementing additional logging and anomaly detection to quickly identify and respond to similar threats in the future.
57
-
58
-
## Triage and Analysis
59
-
60
-
### Investigating AWS SQS Queue Purge
61
-
62
-
This rule detects when an AWS SQS queue is purged, an action that adversaries may use to disrupt operations, delete messages, or impair monitoring and alerting mechanisms. Purging an SQS queue removes all messages, which could be used as a tactic to evade detection by deleting evidence of malicious activity or to disrupt legitimate workflows.
63
-
64
-
#### Possible Investigation Steps
65
-
66
-
- **Identify the Actor and Resource**:
67
-
- **User Identity and Permissions**: Review the field `aws.cloudtrail.user_identity.arn` to identify the IAM user or role responsible for the purge. Validate their permissions and determine if this action aligns with their typical responsibilities.
68
-
- **SQS Queue Details**: Examine `aws.cloudtrail.resources.arn` and `aws.cloudtrail.flattened.request_parameters.queueUrl` to identify the specific SQS queue that was purged. Check its purpose, associated workflows, and whether it handles sensitive or critical messages.
69
-
70
-
- **Evaluate the Context and Purpose of the Purge**:
71
-
- **Time and Frequency**: Check the timestamp (`@timestamp`) to determine when the purge occurred and whether similar events have occurred recently. Frequent or repeated purges may indicate a larger issue or ongoing malicious activity.
72
-
- **Legitimacy of the Action**: Consult with the owner or administrator of the affected queue to verify if the purge was intentional or authorized.
40
+
**Review the affected queue**
41
+
- Identify the purged queue using `aws.cloudtrail.request_parameters` or `aws.cloudtrail.resources.arn`. Determine the purpose of the queue and whether it supports critical workflows, security tooling, or monitoring pipelines.
73
42
74
-
- **Analyze for Potential Indicators of Malicious Activity**:
75
-
- **Source IP and Geographic Location**: Review `source.ip` and `source.geo` to identify the origin of the request. Anomalies, such as unexpected locations, may indicate compromise.
76
-
- **User Agent and Tooling**: Check `user_agent.original` to confirm the tool used to perform the purge. The use of unexpected or automated tooling may raise suspicion.
43
+
**Evaluate the context of the action**
44
+
- Review the `@timestamp` to determine when the purge occurred and whether it aligns with maintenance windows or
45
+
deployment activity.
46
+
- Examine `source.ip` and `user_agent.original` for anomalies such as unexpected locations, automation tools, or
47
+
unfamiliar clients.
77
48
78
-
- **Cross-Reference Related Activity**:
79
-
- **Recent IAM Events**: Search for related IAM or security-related events tied to the same actor, such as `CreateAccessKey`, `AssumeRole`, or `UpdateRolePolicy`, which could indicate privilege escalation or preparation for malicious actions.
80
-
- **Other SQS Activity**: Look for additional activity involving the same SQS queue, such as `SendMessage`, `ReceiveMessage`, or `DeleteQueue`, to identify further signs of unauthorized usage.
49
+
**Correlate related activity**
50
+
- Search for other CloudTrail events from the same identity before and after the purge, including IAM changes, credential activity, or additional SQS operations.
51
+
- Look for signs of follow-on behavior such as queue deletion, policy updates, or attempts to suppress logging.
81
52
82
-
### False Positive Analysis
53
+
**Validate intent**
54
+
- Confirm with the queue owner or application team whether the purge was intentional, approved, and expected. If no clear business justification exists, treat the activity as potentially suspicious.
83
55
84
-
- **Legitimate Administrative Activity**: Administrators may purge SQS queues as part of maintenance or cleanup processes. Validate whether the action was part of an approved operation.
85
-
- **Automation or Testing**: Automation tools or testing processes may perform queue purges as part of their workflow. Verify if the action aligns with known automated tasks or test scenarios.
86
-
87
-
### Response and Remediation
88
-
89
-
- **Immediate Actions**:
90
-
- **Restrict Access**: If the action appears unauthorized, immediately revoke access for the actor responsible for the purge and investigate potential credential compromise.
91
-
- **Restore Data**: If the purged queue contained critical or sensitive messages, attempt to restore them from backups if available.
92
-
93
-
- **Preventative Measures**:
94
-
- **Enhance Monitoring**: Enable additional monitoring for SQS-related activity to detect unusual patterns, such as frequent purges or changes to queue configurations.
95
-
- **Audit Permissions**: Review and restrict IAM permissions for SQS to ensure only authorized users or roles can perform sensitive actions like `PurgeQueue`.
56
+
### False positive analysis
96
57
97
-
- **Policy Updates**:
98
-
- **Apply Least Privilege**: Adjust IAM policies to enforce the principle of least privilege, ensuring that only necessary permissions are granted. Review the policy assigned to the SQS queue as well to prevent unauthorized purges.
99
-
- **MFA Enforcement**: Require Multi-Factor Authentication (MFA) for all users with access to sensitive AWS resources.
58
+
- Queue purges performed during routine maintenance, incident recovery, or test resets may be legitimate.
59
+
- Automated jobs or cleanup scripts may regularly purge queues as part of normal operation.
100
60
101
-
### Additional Information
61
+
### Response and remediation
102
62
103
-
For further guidance on AWS SQS operations and best practices, refer to:
104
-
- [AWS SQS PurgeQueue API Documentation](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_PurgeQueue.html)
63
+
- If the purge was unauthorized, immediately restrict SQS permissions for the affected identity and investigate for credential compromise.
64
+
- Assess operational impact and determine whether downstream systems were disrupted or lost critical data.
65
+
- Review recent activity to identify any additional attempts to evade detection or disable monitoring.
66
+
- Reinforce least-privilege IAM policies to limit which identities can perform `PurgeQueue`.
67
+
- Enhance monitoring and alerting for destructive SQS actions, especially in production environments.
68
+
- Work with application teams to document approved purge workflows and ensure adequate guardrails are in place.
69
+
70
+
### Additional information
71
+
- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)**
0 commit comments