From d5d83a129812325d06d7899197bb78b6793afdf6 Mon Sep 17 00:00:00 2001
From: terrancedejesus <terrance.dejesus@elastic.co>
Date: Fri, 12 Apr 2024 15:36:00 -0400
Subject: [PATCH 1/4] new rule 'Route53 Resolver Query Log Configuration
 Deleted'

---
 ...53_dns_query_resolver_config_deletion.toml | 63 +++++++++++++++++++
 1 file changed, 63 insertions(+)
 create mode 100644 rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml

diff --git a/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml b/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml
new file mode 100644
index 00000000000..8002ca8a9bf
--- /dev/null
+++ b/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml
@@ -0,0 +1,63 @@
+[metadata]
+creation_date = "2024/04/12"
+integration = ["aws"]
+maturity = "production"
+min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
+min_stack_version = "8.9.0"
+updated_date = "2024/04/12"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when a Route53 Resolver Query Log Configuration is deleted. When a Route53 a Resolver query log configuration
+is deleted, Resolver stops logging DNS queries and responses for the specified configuration. Adversaries may delete
+query log configurations to evade detection or cover their tracks.
+"""
+false_positives = ["Legitimate deletion of Route53 Resolver Query Log Configuration by authorized personnel."]
+from = "now-60m"
+index = ["filebeat-*", "logs-aws.cloudtrail*"]
+interval = "10m"
+language = "kuery"
+license = "Elastic License v2"
+name = "Route53 Resolver Query Log Configuration Deleted"
+references = [
+    "https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DeleteResolverQueryLogConfig.html",
+]
+risk_score = 47
+rule_id = "453183fa-f903-11ee-8e88-f661ea17fbce"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: Amazon Route53",
+    "Use Case: Log Auditing",
+    "Resources: Investigation Guide",
+    "Tactic: Defense Evasion",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com and event.action: DeleteResolverQueryLogConfig and event.outcome: success
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1562"
+name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.008"
+name = "Disable or Modify Cloud Logs"
+reference = "https://attack.mitre.org/techniques/T1562/008/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

From 3311d52d3fa82c64a89564071108d9d6ec8891ab Mon Sep 17 00:00:00 2001
From: terrancedejesus <terrance.dejesus@elastic.co>
Date: Mon, 6 May 2024 18:36:03 -0700
Subject: [PATCH 2/4] added investigation guide

---
 ...53_dns_query_resolver_config_deletion.toml | 39 ++++++++++++++++++-
 1 file changed, 37 insertions(+), 2 deletions(-)

diff --git a/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml b/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml
index 8002ca8a9bf..5f40abbfb86 100644
--- a/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml
+++ b/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml
@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 min_stack_version = "8.9.0"
-updated_date = "2024/04/12"
+updated_date = "2024/05/06"
 
 [rule]
 author = ["Elastic"]
@@ -20,6 +20,40 @@ interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "Route53 Resolver Query Log Configuration Deleted"
+note = """
+
+## Triage and Analysis
+
+### Investigating Route53 Resolver Query Log Configuration Deleted
+
+This rule detects when a Route53 Resolver Query Log Configuration is deleted. Deleting these configurations stops the logging of DNS queries and responses, which can significantly impede network monitoring and compromise security visibility. Adversaries may delete these configurations to evade detection, remove evidence, or obscure their activities within a network.
+
+Adversaries target Route53 Resolver query log configurations because these logs can contain evidence of malicious domain queries or responses. By deleting these logs, an adversary can prevent the capture of information that could reveal unauthorized network activities, aiding in avoiding detection and thwarting incident response efforts.
+
+#### Possible Investigation Steps
+
+- **Review the Deletion Details**: Examine the CloudTrail logs to identify when and by whom the deletion was initiated. Check the `event.action` and `user_identity` elements to understand the scope and authorization of the deletion.
+- **Contextualize with User Actions**: Assess whether the deletion aligns with the user’s role and job responsibilities. Investigate if similar modifications have occurred recently that could suggest a pattern or broader campaign.
+- **Analyze Access Patterns and Permissions**: Verify whether the user had the appropriate permissions to delete log configurations. Investigate any recent permission changes that might indicate role abuse or credentials compromise.
+- **Correlate with Other Security Incidents**: Look for related security alerts or incidents that could be connected to the log deletion. This includes unusual network traffic, alerts from other AWS services, or findings from intrusion detection systems.
+- **Interview the Responsible Team**: If the deletion was initiated by an internal team member, confirm their intent and authorization to ensure it was a legitimate action.
+
+### False Positive Analysis
+
+- **Legitimate Administrative Actions**: Confirm that the deletion was part of scheduled IT operations or network management activities, possibly linked to maintenance or infrastructure updates. Validate this action against change management records or through interviews with relevant personnel.
+
+### Response and Remediation
+
+- **Restore Logs if Feasible**: If the deletion was unauthorized, consider restoring the configuration from backups to ensure continuous visibility into DNS queries.
+- **Review and Tighten Permissions**: Ensure that only authorized personnel have the capability to delete critical configurations. Adjust AWS IAM policies to reinforce security measures.
+- **Enhance Monitoring of Log Management**: Implement or enhance monitoring rules to detect and alert on unauthorized changes to logging configurations, focusing on critical deletions.
+- **Conduct Comprehensive Security Review**: If the deletion is verified as malicious, initiate a thorough security assessment to identify any further unauthorized changes or ongoing malicious activities.
+
+### Additional Information
+
+For detailed instructions on managing Route53 Resolver and securing its configurations, refer to the [Amazon Route53 Resolver documentation](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DeleteResolverQueryLogConfig.html).
+
+"""
 references = [
     "https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DeleteResolverQueryLogConfig.html",
 ]
@@ -39,7 +73,8 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com and event.action: DeleteResolverQueryLogConfig and event.outcome: success
+event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com
+    and event.action: DeleteResolverQueryLogConfig and event.outcome: success
 '''
 
 

From 071f91fff18028afab108c527dbe5747b3e8b31f Mon Sep 17 00:00:00 2001
From: terrancedejesus <terrance.dejesus@elastic.co>
Date: Mon, 6 May 2024 18:41:45 -0700
Subject: [PATCH 3/4] adjusted investigation notes

---
 ...oute53_dns_query_resolver_config_deletion.toml | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml b/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml
index 5f40abbfb86..70ba095d223 100644
--- a/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml
+++ b/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml
@@ -32,10 +32,14 @@ Adversaries target Route53 Resolver query log configurations because these logs
 
 #### Possible Investigation Steps
 
-- **Review the Deletion Details**: Examine the CloudTrail logs to identify when and by whom the deletion was initiated. Check the `event.action` and `user_identity` elements to understand the scope and authorization of the deletion.
-- **Contextualize with User Actions**: Assess whether the deletion aligns with the user’s role and job responsibilities. Investigate if similar modifications have occurred recently that could suggest a pattern or broader campaign.
-- **Analyze Access Patterns and Permissions**: Verify whether the user had the appropriate permissions to delete log configurations. Investigate any recent permission changes that might indicate role abuse or credentials compromise.
-- **Correlate with Other Security Incidents**: Look for related security alerts or incidents that could be connected to the log deletion. This includes unusual network traffic, alerts from other AWS services, or findings from intrusion detection systems.
+- **Review the Deletion Details**: Examine the CloudTrail logs to identify when and by whom the deletion was initiated.
+    - Check the `event.action` and `user_identity` elements to understand the scope and authorization of the deletion.
+- **Contextualize with User Actions**: Assess whether the deletion aligns with the user’s role and job responsibilities.
+    - Investigate if similar modifications have occurred recently that could suggest a pattern or broader campaign.
+- **Analyze Access Patterns and Permissions**: Verify whether the user had the appropriate permissions to delete log configurations.
+    - Investigate any recent permission changes that might indicate role abuse or credentials compromise.
+- **Correlate with Other Security Incidents**: Look for related security alerts or incidents that could be connected to the log deletion.
+    - This includes unusual network traffic, alerts from other AWS services, or findings from intrusion detection systems.
 - **Interview the Responsible Team**: If the deletion was initiated by an internal team member, confirm their intent and authorization to ensure it was a legitimate action.
 
 ### False Positive Analysis
@@ -45,7 +49,8 @@ Adversaries target Route53 Resolver query log configurations because these logs
 ### Response and Remediation
 
 - **Restore Logs if Feasible**: If the deletion was unauthorized, consider restoring the configuration from backups to ensure continuous visibility into DNS queries.
-- **Review and Tighten Permissions**: Ensure that only authorized personnel have the capability to delete critical configurations. Adjust AWS IAM policies to reinforce security measures.
+- **Review and Tighten Permissions**: Ensure that only authorized personnel have the capability to delete critical configurations.
+    - Adjust AWS IAM policies to reinforce security measures.
 - **Enhance Monitoring of Log Management**: Implement or enhance monitoring rules to detect and alert on unauthorized changes to logging configurations, focusing on critical deletions.
 - **Conduct Comprehensive Security Review**: If the deletion is verified as malicious, initiate a thorough security assessment to identify any further unauthorized changes or ongoing malicious activities.
 

From ddfb3e668273887433d8c6d0109f44cea836a977 Mon Sep 17 00:00:00 2001
From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Date: Tue, 14 May 2024 09:00:07 -0400
Subject: [PATCH 4/4] Update
 rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
---
 ...ense_evasion_route53_dns_query_resolver_config_deletion.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml b/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml
index 70ba095d223..15682431e20 100644
--- a/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml
+++ b/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml
@@ -9,7 +9,7 @@ updated_date = "2024/05/06"
 [rule]
 author = ["Elastic"]
 description = """
-Identifies when a Route53 Resolver Query Log Configuration is deleted. When a Route53 a Resolver query log configuration
+Identifies when a Route53 Resolver Query Log Configuration is deleted. When a Route53 Resolver query log configuration
 is deleted, Resolver stops logging DNS queries and responses for the specified configuration. Adversaries may delete
 query log configurations to evade detection or cover their tracks.
 """