exfiltration_ec2_snapshot_change_activity.toml

[metadata]
creation_date = "2020/06/24"
maturity = "production"
updated_date = "2021/07/20"
integration = "aws"

[rule]
author = ["Elastic"]
description = """
An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to
exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an
unauthorized or unexpected AWS account.
"""
false_positives = [
    """
    IAM users may occasionally share EC2 snapshots with another AWS account belonging to the same organization. If known
    behavior is causing false positives, it can be exempted from the rule.
    """,
]
from = "now-60m"
index = ["filebeat-*", "logs-aws*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS EC2 Snapshot Activity"
note = """## Config

The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html",
    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html",
]
risk_score = 47
rule_id = "98fd7407-0bd5-5817-cda0-3fcc33113a56"
severity = "medium"
tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1537"
name = "Transfer Data to Cloud Account"
reference = "https://attack.mitre.org/techniques/T1537/"


[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"