Techniques
Sample rules
AWS EC2 Security Group Configuration Change
- source: elastic
- technicques:
- T1562
Description
Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.
Detection logic
event.dataset: "aws.cloudtrail"
and event.provider: "ec2.amazonaws.com" and event.outcome: "success"
and (event.action:(
"AuthorizeSecurityGroupIngress" or
"AuthorizeSecurityGroupEgress" or
"CreateSecurityGroup" or
"ModifySecurityGroupRules" or
"RevokeSecurityGroupEgress" or
"RevokeSecurityGroupIngress") or
(event.action: "ModifyInstanceAttribute" and aws.cloudtrail.flattened.request_parameters.groupSet.items.groupId:*))