aws-cis-benchmark-config-config-change Scenario

« aws-cis-benchmark-config-config-change »
v0.3 by crowdsecurity
Attack scenarioservice:awsspoofable:0MITRE:T1070confidence:3

Detect AWS Config configuration change

Installation

cscli scenarios install crowdsecurity/aws-cis-benchmark-config-config-change

Description

Detects AWS Config configuration changes based on cloudtrail logs (Section 4.9 of CIS AWS Foundation Benchmark 1.4.0 ).

YAML Configuration

1type: trigger
2name: crowdsecurity/aws-cis-benchmark-config-config-change
3description: "Detect AWS Config configuration change"
4filter: |
5  evt.Meta.log_type == 'aws-cloudtrail' && 
6  evt.Unmarshaled.cloudtrail.eventSource == "config.amazonaws.com" &&
7  (
8   evt.Meta.event_name == "StopConfigurationRecorder" ||
9   evt.Meta.event_name == "DeleteDeliveryChannel" ||
10   evt.Meta.event_name == "PutDeliveryChannel" ||
11   evt.Meta.event_name == "PutConfigurationRecorder"
12  )
13labels:
14  confidence: 3
15  spoofable: 0
16  classification:
17    - attack.T1070
18  behavior: "cloud:audit"
19  label: "AWS Config indicator removal"
20  service: aws
21  cti: false
22  remediation: false
23

Hub configuration

« aws-cis-benchmark-config-config-change »v0.3 by crowdsecurityAttack scenarioservice:awsspoofable:0MITRE:T1070confidence:3

« aws-cis-benchmark-config-config-change »
v0.3 by crowdsecurity
Attack scenarioservice:awsspoofable:0MITRE:T1070confidence:3