Skip to content

Commit 1f74c34

Browse files
pyth0n1cpyth0n1c
authored
Merge pull request #3536 from splunk/aws_to_ttp
Update AWS Defense Evasion Impair Security Services to TTP
2 parents cc74c42 + 4cfe72f commit 1f74c34

File tree

1 file changed

+27
-3
lines changed

1 file changed

+27
-3
lines changed

detections/cloud/aws_defense_evasion_impair_security_services.yml

Lines changed: 27 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,10 @@
11
name: AWS Defense Evasion Impair Security Services
22
id: b28c4957-96a6-47e0-a965-6c767aac1458
3-
version: 7
4-
date: '2025-05-02'
3+
version: 8
4+
date: '2025-05-22'
55
author: Bhavin Patel, Gowthamaraj Rajendran, Splunk
66
status: production
7-
type: Hunting
7+
type: TTP
88
description: The following analytic detects attempts to delete critical AWS security
99
service configurations, such as CloudWatch alarms, GuardDuty detectors, and Web
1010
Application Firewall rules. It leverages CloudTrail logs to identify specific API
@@ -35,6 +35,30 @@ references:
3535
- https://docs.aws.amazon.com/cli/latest/reference/guardduty/index.html
3636
- https://docs.aws.amazon.com/cli/latest/reference/waf/index.html
3737
- https://www.elastic.co/guide/en/security/current/prebuilt-rules.html
38+
drilldown_searches:
39+
- name: View the detection results for - "$user$"
40+
search: '%original_detection_search% | search user = "$user$"'
41+
earliest_offset: $info_min_time$
42+
latest_offset: $info_max_time$
43+
- name: View risk events for the last 7 days for - "$user$"
44+
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$")
45+
starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
46+
values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
47+
as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
48+
as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
49+
| `security_content_ctime(lastTime)`'
50+
earliest_offset: $info_min_time$
51+
latest_offset: $info_max_time$
52+
rba:
53+
message: User $user$ has deleted a security service by attempting to $signature$ for account id $vendor_account$
54+
from IP $src$
55+
risk_objects:
56+
- field: user
57+
type: user
58+
score: 90
59+
threat_objects:
60+
- field: src
61+
type: ip_address
3862
tags:
3963
analytic_story:
4064
- AWS Defense Evasion

0 commit comments

Comments
 (0)