-
Notifications
You must be signed in to change notification settings - Fork 557
/
Copy pathmultiple_service_logging_deleted_or_stopped.toml
30 lines (29 loc) · 2.06 KB
/
multiple_service_logging_deleted_or_stopped.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
[hunt]
author = "Elastic"
description = """
This hunting query identifies the deletion or stopping of multiple service logging actions within AWS. Service logging is a critical security control that provides visibility into the activities and changes within AWS services. Adversaries may attempt to disable or delete service logging to evade detection and cover their tracks. Monitoring for multiple service logging deletions or stops can help identify potential malicious activity and ensure that critical security controls remain intact.
"""
integration = ["aws.cloudtrail"]
uuid = "d74f8928-5e46-11ef-9488-f661ea17fbce"
name = "Multiple Service Logging Deleted or Stopped"
language = ["ES|QL"]
license = "Elastic License v2"
notes = [
"Use the `event.provider` field to identify the service logging action that was deleted or stopped",
"Use the `event.action` field to identify the specific action that was taken on the service logging",
"Review the `aws.cloudtrail.user_identity*` fields to identify the user making the requests and their role permissions",
"Review the `source.*` fields for the IP address and geographical location of the request and compare with the user's typical behavior",
"Check for `CreateFlowLogs`, `CreateResolverQueryLogConfig`, `CreateTrail`, and `StartLogging` API calls to determine if the service logging was recently enabled or started. This could help determine if the deletion was due to maintence or configuration changes",
"Use ES|QL `stats` function to aggregated on date to identify patterns of multiple service logging deletions or stops",
""
]
mitre = ["T1562.008"]
query = ['''
from logs-aws.cloudtrail*
| where @timestamp > now() - 7 day
| where
event.provider in ("ec2.amazonaws.com","route53resolver.amazonaws.com","s3.amazonaws.com", "cloudtrail.amazonaws.com")
and event.action in ("DeleteFlowLogs","DeleteResolverQueryLogConfig", "DeleteTrail", "StopLogging")
| eval date = DATE_FORMAT("YYYY-mm-dd", @timestamp)
| stats service_logging_delete_count = count(*) by event.provider, event.action, event.outcome, date, aws.cloudtrail.user_identity.arn
''']