cscli scenarios install crowdsecurity/aws-cis-benchmark-security-group-changeDetects AWS Security Group changes based on cloudtrail logs (Section 4.10 of CIS AWS Foundation Benchmark 1.4.0 ).
1type: trigger2name: crowdsecurity/aws-cis-benchmark-security-group-change3description: "Detect AWS Security Group change"4filter: |5 evt.Meta.log_type == 'aws-cloudtrail' &&6 (7 evt.Meta.event_name == "AuthorizeSecurityGroupIngress" ||8 evt.Meta.event_name == "AuthorizeSecurityGroupEgress" ||9 evt.Meta.event_name == "RevokeSecurityGroupIngress" ||10 evt.Meta.event_name == "RevokeSecurityGroupEgress" ||11 evt.Meta.event_name == "CreateSecurityGroup" ||12 evt.Meta.event_name == "DeleteSecurityGroup"13 )14labels:15 confidence: 316 spoofable: 017 classification:18 - attack.T157819 behavior: "cloud:audit"20 label: "AWS Security Group change"21 service: aws22 cti: false23 remediation: false24