Changes to AWS Elastic Load Balancer security groups
Id | c7bfadd4-34a6-4fa5-82f8-3691a32261e8 |
Rulename | Changes to AWS Elastic Load Balancer security groups |
Description | Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring. More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 and https://aws.amazon.com/elasticloadbalancing/. |
Severity | Low |
Tactics | Persistence |
Techniques | T1098 |
Required data connectors | AWS AWSS3 |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_LoadBalancerSecGroupChange.yaml |
Version | 1.0.1 |
Arm template | c7bfadd4-34a6-4fa5-82f8-3691a32261e8.json |
let EventNameList = dynamic(["ApplySecurityGroupsToLoadBalancer", "SetSecurityGroups"]);
AWSCloudTrail
| where EventName in~ (EventNameList)
| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)
| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated)
by EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,
AdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements
| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress
triggerOperator: gt
id: c7bfadd4-34a6-4fa5-82f8-3691a32261e8
queryFrequency: 1d
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountCustomEntity
identifier: FullName
- entityType: IP
fieldMappings:
- columnName: IPCustomEntity
identifier: Address
requiredDataConnectors:
- dataTypes:
- AWSCloudTrail
connectorId: AWS
- dataTypes:
- AWSCloudTrail
connectorId: AWSS3
severity: Low
triggerThreshold: 0
kind: Scheduled
status: Available
queryPeriod: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_LoadBalancerSecGroupChange.yaml
query: |
let EventNameList = dynamic(["ApplySecurityGroupsToLoadBalancer", "SetSecurityGroups"]);
AWSCloudTrail
| where EventName in~ (EventNameList)
| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)
| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated)
by EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,
AdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements
| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress
description: |
'Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications.
Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.
More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255
and https://aws.amazon.com/elasticloadbalancing/.'
name: Changes to AWS Elastic Load Balancer security groups
relevantTechniques:
- T1098
tactics:
- Persistence
version: 1.0.1
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c7bfadd4-34a6-4fa5-82f8-3691a32261e8')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c7bfadd4-34a6-4fa5-82f8-3691a32261e8')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Changes to AWS Elastic Load Balancer security groups",
"description": "'Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications.\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\n and https://aws.amazon.com/elasticloadbalancing/.'\n",
"severity": "Low",
"enabled": true,
"query": "let EventNameList = dynamic([\"ApplySecurityGroupsToLoadBalancer\", \"SetSecurityGroups\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated)\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"techniques": [
"T1098"
],
"alertRuleTemplateName": "c7bfadd4-34a6-4fa5-82f8-3691a32261e8",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
],
"entityType": "IP"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_LoadBalancerSecGroupChange.yaml",
"templateVersion": "1.0.1",
"status": "Available"
}
}
]
}