aws-cis-benchmark-ngw-change Scenario

« aws-cis-benchmark-ngw-change »
v0.3 by crowdsecurity
Attack scenarioservice:awsspoofable:0MITRE:T1578confidence:3

Detect AWS Network Gateway change

Installation

cscli scenarios install crowdsecurity/aws-cis-benchmark-ngw-change

Description

Detects AWS Network Gateway changes based on cloudtrail logs (Section 4.12 of CIS AWS Foundation Benchmark 1.4.0 ).

YAML Configuration

1type: trigger
2name: crowdsecurity/aws-cis-benchmark-ngw-change
3description: "Detect AWS Network Gateway change"
4filter: |
5     evt.Meta.log_type == 'aws-cloudtrail' &&
6     (
7     evt.Meta.event_name == "CreateCustomerGateway" ||
8     evt.Meta.event_name == "DeleteCustomerGateway" ||
9     evt.Meta.event_name == "AttachInternetGateway" ||
10     evt.Meta.event_name == "CreateInternetGateway" ||
11     evt.Meta.event_name == "DeleteInternetGateway" ||
12     evt.Meta.event_name == "DetachInternetGateway"
13     )
14labels:
15     confidence: 3
16     spoofable: 0
17     classification:
18          - attack.T1578
19     behavior: "cloud:audit"
20     label: "AWS Network Gateway change"
21     service: aws
22     cti: false
23     remediation: false
24

Hub configuration

« aws-cis-benchmark-ngw-change »v0.3 by crowdsecurityAttack scenarioservice:awsspoofable:0MITRE:T1578confidence:3

« aws-cis-benchmark-ngw-change »
v0.3 by crowdsecurity
Attack scenarioservice:awsspoofable:0MITRE:T1578confidence:3