Techniques
Sample rules
LoadBalancer Security Group Modification
- source: sigma
- technicques:
- t1190
Description
Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB). This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.
Detection logic
condition: selection
selection:
eventName:
- ApplySecurityGroupsToLoadBalancer
- SetSecurityGroups
eventSource: elasticloadbalancing.amazonaws.com