aws-cis-benchmark-cloudtrail-config-change Scenario

« aws-cis-benchmark-cloudtrail-config-change »
v0.3 by crowdsecurity
Attack scenarioservice:awsspoofable:0MITRE:T1070confidence:3

Detect AWS CloudTrail configuration change

Installation

cscli scenarios install crowdsecurity/aws-cis-benchmark-cloudtrail-config-change

Description

Detects AWS CloudTrail configuration changes based on cloudtrail logs (Section 4.5 of CIS AWS Foundation Benchmark 1.4.0 ).

YAML Configuration

1type: trigger
2name: crowdsecurity/aws-cis-benchmark-cloudtrail-config-change
3description: "Detect AWS CloudTrail configuration change"
4filter: |
5  evt.Meta.log_type == 'aws-cloudtrail' &&
6  (
7  evt.Meta.event_name == "CreateTrail" ||
8  evt.Meta.event_name == "UpdateTrail" ||
9  evt.Meta.event_name == "DeleteTrail" ||
10  evt.Meta.event_name == "StartLogging" ||
11  evt.Meta.event_name == "StopLogging"
12  )
13labels:
14  confidence: 3
15  spoofable: 0
16  classification:
17    - attack.T1070
18  behavior: "cloud:audit"
19  label: "AWS CloudTrail indicator removal"
20  service: aws
21  cti: false
22  remediation: false
23

Hub configuration

« aws-cis-benchmark-cloudtrail-config-change »v0.3 by crowdsecurityAttack scenarioservice:awsspoofable:0MITRE:T1070confidence:3

« aws-cis-benchmark-cloudtrail-config-change »
v0.3 by crowdsecurity
Attack scenarioservice:awsspoofable:0MITRE:T1070confidence:3