aws-cis-benchmark-vpc-change Scenario

« aws-cis-benchmark-vpc-change »
v0.3 by crowdsecurity
Attack scenarioservice:awsspoofable:0MITRE:T1578confidence:3

Detect AWS VPC change

Installation

cscli scenarios install crowdsecurity/aws-cis-benchmark-vpc-change

Description

Detects AWS VPC changes based on cloudtrail logs (Section 4.14 of CIS AWS Foundation Benchmark 1.4.0 ).

YAML Configuration

1type: trigger
2name: crowdsecurity/aws-cis-benchmark-vpc-change
3description: "Detect AWS VPC change"
4filter: |
5     evt.Meta.log_type == 'aws-cloudtrail' &&
6     (
7     evt.Meta.event_name == "CreateVpc" ||
8     evt.Meta.event_name == "DeleteVpc" ||
9     evt.Meta.event_name == "ModifyVpcAttribute" ||
10     evt.Meta.event_name == "AcceptVpcPeeringConnection" ||
11     evt.Meta.event_name == "CreateVpcPeeringConnection" ||
12     evt.Meta.event_name == "DeleteVpcPeeringConnection" ||
13     evt.Meta.event_name == "RejectVpcPeeringConnection" ||
14     evt.Meta.event_name == "AttachClassicLinkVpc" ||
15     evt.Meta.event_name == "DetachClassicLinkVpc" ||
16     evt.Meta.event_name == "DisableVpcClassicLink" ||
17     evt.Meta.event_name == "EnableVpcClassicLink"
18     )
19labels:
20     confidence: 3
21     spoofable: 0
22     classification:
23          - attack.T1578
24     behavior: "cloud:audit"
25     label: "AWS VPC change"
26     service: aws
27     cti: false
28     remediation: false
29

Hub configuration

« aws-cis-benchmark-vpc-change »v0.3 by crowdsecurityAttack scenarioservice:awsspoofable:0MITRE:T1578confidence:3

« aws-cis-benchmark-vpc-change »
v0.3 by crowdsecurity
Attack scenarioservice:awsspoofable:0MITRE:T1578confidence:3