LoFP / route tables may be created by a system or network administrators. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. route table creation by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule. automated processes that use terraform may lead to false positives.

Techniques

Sample rules

AWS Route Table Created

• source: elastic
• technicques:

Description

Identifies when an AWS Route Table has been created.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and
event.outcome:success