Skip to content

Commit a182c8c

Browse files
patel-bhavinpatel-bhavin
committed
updating to TTP
1 parent a9b6723 commit a182c8c

File tree

1 file changed

+27
-3
lines changed

1 file changed

+27
-3
lines changed

detections/cloud/aws_defense_evasion_impair_security_services.yml

Lines changed: 27 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,10 @@
11
name: AWS Defense Evasion Impair Security Services
22
id: b28c4957-96a6-47e0-a965-6c767aac1458
3-
version: 7
4-
date: '2025-05-02'
3+
version: 8
4+
date: '2025-05-22'
55
author: Bhavin Patel, Gowthamaraj Rajendran, Splunk
66
status: production
7-
type: Hunting
7+
type: TTP
88
description: The following analytic detects attempts to delete critical AWS security
99
service configurations, such as CloudWatch alarms, GuardDuty detectors, and Web
1010
Application Firewall rules. It leverages CloudTrail logs to identify specific API
@@ -35,6 +35,30 @@ references:
3535
- https://docs.aws.amazon.com/cli/latest/reference/guardduty/index.html
3636
- https://docs.aws.amazon.com/cli/latest/reference/waf/index.html
3737
- https://www.elastic.co/guide/en/security/current/prebuilt-rules.html
38+
drilldown_searches:
39+
- name: View the detection results for - "$user$"
40+
search: '%original_detection_search% | search user = "$user$"'
41+
earliest_offset: $info_min_time$
42+
latest_offset: $info_max_time$
43+
- name: View risk events for the last 7 days for - "$user$"
44+
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$")
45+
starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
46+
values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
47+
as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
48+
as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
49+
| `security_content_ctime(lastTime)`'
50+
earliest_offset: $info_min_time$
51+
latest_offset: $info_max_time$
52+
rba:
53+
message: User $user$ has deleted a security service by attempting to $signature$ for account id $vendor_account$
54+
from IP $src$
55+
risk_objects:
56+
- field: user
57+
type: user
58+
score: 90
59+
threat_objects:
60+
- field: src
61+
type: ip_address
3862
tags:
3963
analytic_story:
4064
- AWS Defense Evasion

0 commit comments

Comments
 (0)