cscli scenarios install crowdsecurity/aws-cis-benchmark-route-table-changeDetects AWS Route Table changes based on cloudtrail logs (Section 4.13 of CIS AWS Foundation Benchmark 1.4.0 ).
1type: trigger2name: crowdsecurity/aws-cis-benchmark-route-table-change3description: "Detect AWS route table change"4filter: |5 evt.Meta.log_type == 'aws-cloudtrail' &&6 (7 evt.Meta.event_name == "CreateRoute" ||8 evt.Meta.event_name == "CreateRouteTable" ||9 evt.Meta.event_name == "ReplaceRoute" ||10 evt.Meta.event_name == "ReplaceRouteTableAssociation" ||11 evt.Meta.event_name == "DeleteRouteTable" ||12 evt.Meta.event_name == "DeleteRoute" ||13 evt.Meta.event_name == "DisassociateRouteTable"14 )15labels:16 confidence: 317 spoofable: 018 classification:19 - attack.T157820 behavior: "cloud:audit"21 label: "AWS route table change"22 service: aws23 cti: false24 remediation: false25