[Rule Tuning] December-January AWS Rule Tuning

detection_rules/etc/non-ecs-schema.json

@@ -162,7 +162,9 @@
     "aws.cloudtrail.flattened.additional_eventdata.SSEApplied": "keyword",
     "aws.cloudtrail.flattened.request_parameters.bucketName": "keyword",
     "aws.cloudtrail.flattened.request_parameters.key": "keyword",
-    "aws.cloudtrail.flattened.request_parameters.includeDeprecated": "keyword"
+    "aws.cloudtrail.flattened.request_parameters.includeDeprecated": "keyword",
+    "aws.cloudtrail.flattened.request_parameters.withDecryption": "boolean",
+    "aws.cloudtrail.flattened.request_parameters.instanceId": "keyword"
   },
   "logs-azure.signinlogs-*": {
     "azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword"

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "0.4.3"
+version = "0.4.4"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"

rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/07/06"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2024/07/23"
+updated_date = "2025/01/22"
 
 [rule]
 author = ["Nick Jones", "Elastic"]
@@ -53,6 +53,7 @@ This rule looks for the retrieval of credentials using `GetSecretValue` action i
 
 ### False positive analysis
 
+- Review `user.id` values for expected ARNs. If this is an expected behavior, consider adding exceptions to the rule.
 - False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions — preferably with a combination of user agent and IP address conditions.
 
 ### Response and remediation

rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/04/12"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/01/10"
+updated_date = "2025/01/27"
 
 [rule]
 author = ["Elastic"]
@@ -23,7 +23,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["filebeat-*", "logs-aws.cloudtrail*"]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS Systems Manager SecureString Parameter Request with Decryption Flag"
@@ -40,13 +40,15 @@ Adversaries may target SecureStrings to retrieve sensitive information such as e
 
 - **Review the Access Event**: Identify the specific API call (`GetParameter` or `GetParameters`) that triggered the rule. Examine the `request_parameters` for `withDecryption` set to true and the name of the accessed parameter.
 - **Verify User Identity and Access Context**: Check the `user_identity` details to understand who accessed the parameter and their role within the organization. This includes checking the ARN and access key ID to determine if the access was authorized.
+    - **User ID**: Review the `user.id` field to identify the specific user or role that initiated the API call. Note that the ARN associated may be an assumed role and may not directly correspond to a human user.
 - **Contextualize with User Behavior**: Assess whether the access pattern fits the user’s normal behavior or job responsibilities. Investigate any out-of-pattern activities around the time of the event.
 - **Analyze Geographic and IP Context**: Using the `source.ip` and `source.geo` information, verify if the request came from a trusted location or if there are any anomalies that suggest a compromised account.
 - **Inspect Related CloudTrail Events**: Look for other related events in CloudTrail to see if there was unusual activity before or after this event, such as unusual login attempts, changes to permissions, or other API calls that could indicate broader unauthorized actions.
 
 ### False Positive Analysis
 
 - **Legitimate Administrative Use**: Verify if the decryption of SecureString parameters is a common practice for the user’s role, particularly if used in automation scripts or deployment processes like those involving Terraform or similar tools.
+- **Authorized Access**: Ensure that the user or role has a legitimate reason to access the SecureString parameters and that the access is part of their expected job responsibilities.
 
 ### Response and Remediation
 
@@ -84,7 +86,11 @@ event.dataset: aws.cloudtrail
     and event.provider: "ssm.amazonaws.com"
     and event.action: (GetParameters or GetParameter)
     and event.outcome: success
-    and aws.cloudtrail.request_parameters: *withDecryption=true*
+    and aws.cloudtrail.flattened.request_parameters.withDecryption: true
+    and not source.address: (
+        "cloudformation.amazonaws.com" or
+        "servicecatalog.amazonaws.com"
+    )
 '''
 
 
@@ -112,5 +118,3 @@ value = ["aws.cloudtrail.user_identity.arn"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
 value = "now-10d"
-
-

rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml

@@ -0,0 +1,142 @@
+[metadata]
+creation_date = "2024/04/14"
+integration = ["aws"]
+maturity = "production"
+updated_date = "2025/01/27"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies discovery request `DescribeInstanceAttribute` with the attribute userData and instanceId in AWS CloudTrail
+logs. This may indicate an attempt to retrieve user data from an EC2 instance. Adversaries may use this information to
+gather sensitive data from the instance such as hardcoded credentials or to identify potential vulnerabilities. This is
+a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule that
+identifies when `aws.cloudtrail.user_identity.arn` requests the user data for a specific
+`aws.cloudtrail.flattened.request_parameters.instanceId` from an EC2 instance in the last 14 days.
+"""
+from = "now-9m"
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "AWS EC2 User Data Retrieval for EC2 Instance"
+note = """
+## Triage and Analysis
+
+### Investigating AWS EC2 User Data Retrieval for EC2 Instance
+
+This rule detects requests to retrieve the `userData` attribute of an EC2 instance using the `DescribeInstanceAttribute` API action. The `userData` field can contain sensitive information, such as hardcoded credentials or configuration scripts, that adversaries may exploit for further attacks.
+
+#### Possible Investigation Steps
+
+- **Identify the Target Instance**:
+  - **Instance ID**: Review the `aws.cloudtrail.flattened.request_parameters.instanceId` field to identify the EC2 instance targeted by the request. Confirm whether this instance should expose its `userData` and whether it is associated with sensitive workloads.
+  - **Analyze userData**: If possible, retrieve and inspect the `userData` field to identify sensitive information like hardcoded credentials or configuration scripts.
+
+- **Review User Context**:
+  - **User Identity**: Inspect the `aws.cloudtrail.user_identity.arn` field to identify the user or role that executed the `DescribeInstanceAttribute` action. Investigate whether this user typically performs such actions.
+  - **Access Patterns**: Validate whether the user or role has the necessary permissions and whether the frequency of this action aligns with expected behavior.
+  - **Access Key ID**: Check the `aws.cloudtrail.user_identity.access_key_id` field to determine the key used to make the request as it may be compromised.
+
+- **Analyze Request Details**:
+  - **Parameters**: Verify that the `attribute=userData` parameter was explicitly requested. This indicates intentional access to user data.
+  - **Source IP and Geolocation**: Check the `source.address` and `source.geo` fields to validate whether the request originated from a trusted location or network. Unexpected geolocations can indicate adversarial activity.
+
+- **Review Source Tool**:
+  - **User Agent**: Inspect the `user_agent.original` field to determine the tool or client used (e.g., Terraform, AWS CLI). Legitimate automation tools may trigger this activity, but custom or unknown user agents may indicate malicious intent.
+
+- **Check for Related Activity**:
+  - **IAM Changes**: Correlate this event with any IAM changes or temporary credential creation to identify potential privilege escalation attempts.
+  - **API Usage**: Look for other unusual API calls (e.g., `RunInstances`, `GetObject`, `AssumeRole`) by the same user or IP to detect lateral movement or data exfiltration attempts.
+
+- **Validate Intent**:
+  - **Permissions and Justification**: Ensure that the user has the least privilege required to perform this action. Investigate whether there is a valid reason for accessing the `userData` field.
+
+### False Positive Analysis
+
+- **Automation**: This event is often triggered by legitimate automation tools, such as Terraform or custom scripts, that require access to `userData` during instance initialization.
+- **Maintenance Activity**: Verify whether this event aligns with expected administrative activities, such as debugging or instance configuration updates.
+
+### Response and Remediation
+
+- **Revoke Excessive Permissions**: If unauthorized, immediately remove `DescribeInstanceAttribute` permissions from the user or role.
+- **Quarantine the Target Instance**: If malicious behavior is confirmed, isolate the affected EC2 instance to limit further exposure.
+- **Secure User Data**:
+  - Avoid storing sensitive information, such as credentials, in `userData`. Use AWS Secrets Manager or Parameter Store instead.
+  - Encrypt user data and ensure only authorized users can decrypt it.
+- **Audit IAM Policies**: Regularly review IAM policies to ensure they adhere to the principle of least privilege.
+- **Monitor and Detect**: Set up additional alerts for unexpected `DescribeInstanceAttribute` calls or other suspicious API activity.
+
+### Additional Information
+
+For more details on managing EC2 user data securely, refer to the [AWS EC2 User Data Documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html).
+"""
+references = [
+    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceAttribute.html",
+    "https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data",
+]
+risk_score = 47
+rule_id = "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: Amazon EC2",
+    "Resources: Investigation Guide",
+    "Use Case: Log Auditing",
+    "Tactic: Discovery",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset: "aws.cloudtrail"
+    and event.provider: "ec2.amazonaws.com"
+    and event.action: "DescribeInstanceAttribute"
+    and event.outcome: "success"
+    and aws.cloudtrail.request_parameters: (*attribute=userData* and *instanceId*)
+    and not aws.cloudtrail.user_identity.invoked_by: (
+        "AWS Internal" or
+        "cloudformation.amazonaws.com"
+    )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1580"
+name = "Cloud Infrastructure Discovery"
+reference = "https://attack.mitre.org/techniques/T1580/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1552"
+name = "Unsecured Credentials"
+reference = "https://attack.mitre.org/techniques/T1552/"
+[[rule.threat.technique.subtechnique]]
+id = "T1552.005"
+name = "Cloud Instance Metadata API"
+reference = "https://attack.mitre.org/techniques/T1552/005/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["aws.cloudtrail.user_identity.arn", "aws.cloudtrail.flattened.request_parameters.instanceId"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"
+
+

rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/07/06"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/01/10"
+updated_date = "2025/01/27"
 
 [rule]
 author = ["Elastic"]
@@ -97,6 +97,11 @@ event.dataset: "aws.cloudtrail"
     and event.action: "SendCommand"
     and event.outcome: "success"
     and not aws.cloudtrail.user_identity.arn: *AWSServiceRoleForAmazonSSM/StateManagerService*
+    and not source.address: (
+      "ssm-guiconnect.amazonaws.com" or
+      "ssm.amazonaws.com" or
+      "inspector2.amazonaws.com"
+    )
 '''