-
Notifications
You must be signed in to change notification settings - Fork 513
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[New Rule] Adding Coverage for `AWS SNS Email Subscription by Rare Us…
…er` (#4224) * adding new rule 'AWS SNS Email Subscription by Rare User' * updated mitre; adjusted non-ecs schema; fixed query * removed protocol inclusion in query * fixed risk score * Update rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml Co-authored-by: Isai <[email protected]> * Update rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml Co-authored-by: Isai <[email protected]> --------- Co-authored-by: Isai <[email protected]> (cherry picked from commit d5f36b3)
- Loading branch information
1 parent
2c24a06
commit 8cf0204
Showing
1 changed file
with
103 additions
and
0 deletions.
There are no files selected for viewing
103 changes: 103 additions & 0 deletions
103
rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,103 @@ | ||
| [metadata] | ||
| creation_date = "2024/11/01" | ||
| integration = ["aws"] | ||
| maturity = "production" | ||
| updated_date = "2024/11/01" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| Identifies when an SNS topic is subscribed to by an email address of a user who does not typically perform this action. | ||
| Adversaries may subscribe to an SNS topic to collect sensitive information or exfiltrate data via an external email | ||
| address. | ||
| """ | ||
| false_positives = [ | ||
| """ | ||
| Legitimate users may subscribe to SNS topics for legitimate purposes. Ensure that the subscription is authorized and | ||
| the subscription email address is known before taking action. | ||
| """, | ||
| ] | ||
| from = "now-9m" | ||
| index = ["filebeat-*", "logs-aws.cloudtrail-*"] | ||
| language = "kuery" | ||
| license = "Elastic License v2" | ||
| name = "AWS SNS Email Subscription by Rare User" | ||
| note = """## Triage and Analysis | ||
| ### Investigating AWS SNS Email Subscription by Rare User | ||
| This rule identifies when an SNS topic is subscribed to by an email address of a user who does not typically perform this action. While subscribing to SNS topics is a common practice, adversaries may exploit this feature to collect sensitive information or exfiltrate data via an external email address. | ||
| #### Possible Investigation Steps | ||
| - **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` field to identify the user who requested the subscription. Verify if this actor typically performs such actions and has the necessary permissions. It may be unusual for this activity to originate from certain user types, such as an assumed role or federated user. | ||
| - **Review the SNS Subscription Event**: Analyze the specifics of the `Subscribe` action in CloudTrail logs: | ||
| - **Topic**: Look at the `aws.cloudtrail.request_parameters.topicArn` field to identify the SNS topic involved in the subscription. | ||
| - **Protocol and Endpoint**: Review the `aws.cloudtrail.request_parameters.protocol` and `aws.cloudtrail.request_parameters.endpoint` fields to confirm the subscription's protocol and email address. Confirm if this endpoint is associated with a known or trusted entity. | ||
| - **Subscription Status**: Check the `aws.cloudtrail.response_elements.subscriptionArn` field for the subscription's current status, noting if it requires confirmation. | ||
| - **Verify Authorization**: Evaluate whether the user typically engages in SNS subscription actions and if they are authorized to do so for the specified topic. | ||
| - **Contextualize with Related Events**: Review related CloudTrail logs around the event time for other actions by the same user or IP address. Look for activities involving other AWS services, such as S3 or IAM, that may indicate further suspicious behavior. | ||
| - **Evaluate the Subscription Endpoint**: Determine whether the email endpoint is legitimate or associated with any known entity. This may require checking internal documentation or reaching out to relevant AWS account administrators. | ||
| - **Check for Publish Actions**: Investigate for any subsequent `Publish` actions on the same SNS topic that may indicate exfiltration attempts or data leakage. If Publish actions are detected, further investigate the contents of the messages. | ||
| - **Review IAM Policies**: Examine the user or role's IAM policies to ensure that the subscription action is within the scope of their permissions or should be. | ||
| ### False Positive Analysis | ||
| - **Historical User Actions**: Verify if the user has a history of performing similar actions on SNS topics. Consistent, repetitive actions may suggest legitimate usage. | ||
| - **Scheduled or Automated Tasks**: Confirm if the subscription action aligns with scheduled tasks or automated notifications authorized by your organization. | ||
| ### Response and Remediation | ||
| - **Immediate Review and Reversal**: If the subscription was unauthorized, take appropriate action to cancel it and adjust SNS permissions as necessary. | ||
| - **Strengthen Monitoring and Alerts**: Configure monitoring systems to flag similar actions involving sensitive topics or unapproved endpoints. | ||
| - **Policy Review**: Review and update policies related to SNS subscriptions and access, tightening control as needed to prevent unauthorized subscriptions. | ||
| - **Incident Response**: If there is evidence of malicious intent, treat the event as a potential data exfiltration incident and follow incident response protocols, including further investigation, containment, and recovery. | ||
| ### Additional Information | ||
| For further guidance on managing and securing SNS topics in AWS environments, refer to the [AWS SNS documentation](https://docs.aws.amazon.com/sns/latest/dg/welcome.html) and AWS best practices for security. | ||
| """ | ||
| references = ["https://docs.aws.amazon.com/sns/latest/api/API_Subscribe.html"] | ||
| risk_score = 21 | ||
| rule_id = "3df49ff6-985d-11ef-88a1-f661ea17fbcd" | ||
| severity = "low" | ||
| tags = [ | ||
| "Domain: Cloud", | ||
| "Data Source: AWS", | ||
| "Data Source: Amazon Web Services", | ||
| "Data Source: AWS SNS", | ||
| "Resources: Investigation Guide", | ||
| "Use Case: Threat Detection", | ||
| "Tactic: Exfiltration", | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "new_terms" | ||
|
|
||
| query = ''' | ||
| event.dataset: "aws.cloudtrail" | ||
| and event.provider: "sns.amazonaws.com" | ||
| and event.action: "Subscribe" | ||
| and aws.cloudtrail.request_parameters: *protocol=email* | ||
| ''' | ||
|
|
||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1567" | ||
| name = "Exfiltration Over Web Service" | ||
| reference = "https://attack.mitre.org/techniques/T1567/" | ||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0010" | ||
| name = "Exfiltration" | ||
| reference = "https://attack.mitre.org/tactics/TA0010/" | ||
|
|
||
| [rule.new_terms] | ||
| field = "new_terms_fields" | ||
| value = ["aws.cloudtrail.user_identity.arn"] | ||
| [[rule.new_terms.history_window_start]] | ||
| field = "history_window_start" | ||
| value = "now-14d" |