Detection rules › Panther
AWS EC2 Manual Security Group Change
An EC2 security group was manually updated without abiding by the organization's accepted processes. This rule expects organizations to either use the Console, CloudFormation, or Terraform, configurable in the rule's ALLOWED_USER_AGENTS.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Stealth | T1562 Impair Defenses |
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
Rule body yaml
AnalysisType: rule
Filename: aws_ec2_manual_security_group_changes.py
RuleID: "AWS.EC2.ManualSecurityGroupChange"
DisplayName: "AWS EC2 Manual Security Group Change"
Enabled: false
LogTypes:
- AWS.CloudTrail
Reports:
MITRE ATT&CK:
- TA0005:T1562
Tags:
- AWS
- Security Control
- Configuration Required
- Defense Evasion:Impair Defenses
Severity: Medium
Description: >
An EC2 security group was manually updated without abiding by the organization's accepted processes. This rule expects organizations to either use the Console, CloudFormation, or Terraform, configurable in the rule's ALLOWED_USER_AGENTS.
Runbook: Identify the actor who changed the security group and validate it was legitimate
Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html
Tests:
- Name: AWS Console - Ingress SG Authorization
LogType: AWS.CloudTrail
ExpectedResult: true
Log:
{
"awsRegion": "us-west-2",
"eventID": "504b492f-7832-406b-a4fd-45a13e48adc4",
"eventName": "AuthorizeSecurityGroupIngress",
"eventSource": "ec2.amazonaws.com",
"eventTime": "2021-01-24 04:55:45.000",
"eventType": "AwsApiCall",
"eventVersion": "1.08",
"managementEvent": true,
"readOnly": false,
"recipientAccountId": "112233445566",
"requestID": "91f34d65-513d-4e9f-a3de-e8d27f7ee4b2",
"requestParameters":
{
"groupId": "sg-04f0b44316f7d2471",
"ipPermissions":
{
"items":
[
{
"ipRanges": { "items": [{ "cidrIp": "0.0.0.0/16" }] },
"prefixListIds": {},
"fromPort": "443",
"toPort": "443",
"groups": {},
"ipProtocol": "tcp",
"ipv6Ranges": {},
},
],
},
},
"responseElements":
{
"_return": true,
"requestId": "91f34d65-513d-4e9f-a3de-e8d27f7ee4b2",
},
"sourceIPAddress": "136.25.37.134",
"userAgent": "console.ec2.amazonaws.com",
"userIdentity":
{
"type": "AssumedRole",
"principalid": "ARORJ4ULULLE0EEJAAKDO:alan",
"arn": "arn:aws:sts::112233445566:assumed-role/TestAdmin/alan",
"accountid": "112233445566",
"accesskeyid": "ASIASWJRT64Z7ZLFLJNI",
"sessioncontext":
{
"attributes":
{
"mfaauthenticated": "true",
"creationdate": "2021-01-24T04:55:10Z",
},
"sessionissuer":
{
"type": "Role",
"principalid": "ARORJ4ULULLE0EEJAAKDO",
"arn": "arn:aws:iam::112233445566:role/TestAdmin",
"accountid": "112233445566",
"username": "TestAdmin",
},
},
},
"p_event_time": "2021-01-24 04:55:45.000",
"p_parse_time": "2021-01-24 05:02:58.358",
"p_log_type": "AWS.CloudTrail",
"p_row_id": "1a57ff7ade26aaf5a1a4d7d20775",
"p_source_id": "e55677c6-7ef5-4541-a443-0d0f17eec19f",
"p_source_label": "CloudTrail Test",
"p_any_ip_addresses": ["136.25.37.134"],
"p_any_aws_account_ids": ["112233445566"],
"p_any_aws_arns":
[
"arn:aws:iam::112233445566:role/TestAdmin",
" arn:aws:sts::112233445566:assumed-role/TestAdmin/alan",
],
}
- Name: Terraform Security Group Creation
LogType: AWS.CloudTrail
ExpectedResult: false
Log:
{
"eventVersion": "1.05",
"userIdentity":
{
"type": "AssumedRole",
"principalId": "AROAIZCYMDBM4SJU6XXXX:ryan@example.com",
"arn": "arn:aws:sts::112233445566:assumed-role/Operator/ryan@example.com",
"accountId": "112233445566",
"accessKeyId": "ASIAWDWBPTM3RJH7XXXX",
"sessionContext":
{
"sessionIssuer":
{
"type": "Role",
"principalId": "AROAIZCYMDBM4SJU65M54",
"arn": "arn:aws:iam::112233445566:role/Operator",
"accountId": "112233445566",
"userName": "Operator",
},
"webIdFederationData": {},
"attributes":
{
"mfaAuthenticated": "false",
"creationDate": "2020-04-30T23:50:12Z",
},
},
},
"eventTime": "2020-04-30T23:51:06Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "CreateSecurityGroup",
"awsRegion": "us-east-1",
"sourceIPAddress": "100.1.114.142",
"userAgent": "aws-sdk-go/1.29.7 (go1.13.7; darwin; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.12.24 (+https://www.terraform.io)",
"requestParameters":
{
"groupName": "prod-webapp-webserver-security",
"groupDescription": "prod-webapp-webserver Security SG",
"vpcId": "vpc-a1a044c7",
},
"responseElements":
{
"requestId": "594fe3e3-0f74-4085-9336-189b36a1cd8c",
"_return": true,
"groupId": "sg-04d018d184a18f647",
},
"requestID": "594fe3e3-0f74-4085-9336-189b36a1cd8c",
"eventID": "52601748-2659-4ed8-b5fd-c530547b07ec",
"eventType": "AwsApiCall",
"recipientAccountId": "112233445566",
}
- Name: Terraform Security Group Authorize Egress
LogType: AWS.CloudTrail
ExpectedResult: false
Log:
{
"eventVersion": "1.05",
"userIdentity":
{
"type": "AssumedRole",
"principalId": "AROAIZCYMDBM4SJU65M54:ryan@example.com",
"arn": "arn:aws:sts::112233445566:assumed-role/ContinousDeployment/ryan@example.com",
"accountId": "112233445566",
"accessKeyId": "ASIAWDWBPTM3RJH7XXXX",
"sessionContext":
{
"sessionIssuer":
{
"type": "Role",
"principalId": "AROAIZCYMDBM4SJU65M54",
"arn": "arn:aws:iam::112233445566:role/Operator",
"accountId": "112233445566",
"userName": "Operator",
},
"webIdFederationData": {},
"attributes":
{
"mfaAuthenticated": "false",
"creationDate": "2020-04-30T23:50:12Z",
},
},
},
"eventTime": "2020-04-30T23:51:08Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "AuthorizeSecurityGroupEgress",
"awsRegion": "us-east-1",
"sourceIPAddress": "100.1.114.142",
"userAgent": "aws-sdk-go/1.29.7 (go1.13.7; darwin; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.12.24 (+https://www.terraform.io)",
"requestParameters":
{
"groupId": "sg-03eee825d6bb78f54",
"ipPermissions":
{
"items":
[
{
"ipProtocol": "-1",
"groups": {},
"ipRanges":
{
"items":
[
{
"cidrIp": "0.0.0.0/0",
"description": "Allow egress to the internet. Required for now until we land ECS/ECR endpoints in the VPC",
},
],
},
"ipv6Ranges": {},
"prefixListIds": {},
},
],
},
},
"responseElements":
{
"requestId": "4c7a5036-09d3-46e8-b0b6-f611ff1959a6",
"_return": true,
},
"requestID": "4c7a5036-09d3-46e8-b0b6-f611ff1959a6",
"eventID": "1a593035-e072-49c4-8c72-4ff35e195330",
"eventType": "AwsApiCall",
"recipientAccountId": "112233445566",
}
- Name: Go Script Authorize Ingress
LogType: AWS.CloudTrail
ExpectedResult: true
Log:
{
"eventVersion": "1.05",
"userIdentity":
{
"type": "AssumedRole",
"principalId": "AROAIZCYMDBM4SJU65M54:ryan@example.com",
"arn": "arn:aws:sts::112233445566:assumed-role/Operator/ryan@example.com",
"accountId": "112233445566",
"accessKeyId": "ASIAWDWBPTM3QPXQXXXX",
"sessionContext":
{
"sessionIssuer":
{
"type": "Role",
"principalId": "AROAIZCYMDBM4SJU65M54",
"arn": "arn:aws:iam::112233445566:role/Operator",
"accountId": "112233445566",
"userName": "Operator",
},
"webIdFederationData": {},
"attributes":
{
"mfaAuthenticated": "false",
"creationDate": "2020-04-30T04:37:13Z",
},
},
},
"eventTime": "2020-04-30T04:40:52Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "AuthorizeSecurityGroupIngress",
"awsRegion": "us-east-1",
"sourceIPAddress": "100.1.114.142",
"userAgent": "aws-sdk-go/1.24.1 (go1.14; darwin; amd64)",
"requestParameters":
{
"groupId": "sg-0d921df5d84f7270a",
"ipPermissions":
{
"items":
[
{
"ipProtocol": "tcp",
"fromPort": 22,
"toPort": 22,
"groups": {},
"ipRanges": { "items": [{ "cidrIp": "0.0.0.0/0" }] },
"ipv6Ranges": {},
"prefixListIds": {},
},
],
},
},
"responseElements":
{
"requestId": "2be70b99-4937-4a76-b7d9-390b6d0eda73",
"_return": true,
},
"requestID": "2be70b99-4937-4a76-b7d9-390b6d0eda73",
"eventID": "42155429-7e8e-43b5-9b5e-6953f80d51d5",
"eventType": "AwsApiCall",
"recipientAccountId": "112233445566",
}
- Name: AWS Console - Ingress SG Authorization Error
LogType: AWS.CloudTrail
ExpectedResult: false
Log:
{
"awsRegion": "us-west-2",
"errorCode": "UnauthorizedOperation",
"eventID": "504b492f-7832-406b-a4fd-45a13e48adc4",
"eventName": "AuthorizeSecurityGroupIngress",
"eventSource": "ec2.amazonaws.com",
"eventTime": "2021-01-24 04:55:45.000",
"eventType": "AwsApiCall",
"eventVersion": "1.08",
"managementEvent": true,
"readOnly": false,
"recipientAccountId": "112233445566",
"requestID": "91f34d65-513d-4e9f-a3de-e8d27f7ee4b2",
"requestParameters":
{
"groupId": "sg-04f0b44316f7d2471",
"ipPermissions":
{
"items":
[
{
"ipRanges": { "items": [{ "cidrIp": "0.0.0.0/16" }] },
"prefixListIds": {},
"fromPort": "443",
"toPort": "443",
"groups": {},
"ipProtocol": "tcp",
"ipv6Ranges": {},
},
],
},
},
"responseElements":
{
"_return": true,
"requestId": "91f34d65-513d-4e9f-a3de-e8d27f7ee4b2",
},
"sourceIPAddress": "136.25.37.134",
"userAgent": "console.ec2.amazonaws.com",
"userIdentity":
{
"type": "AssumedRole",
"principalid": "ARORJ4ULULLE0EEJAAKDO:alan",
"arn": "arn:aws:sts::112233445566:assumed-role/TestAdmin/alan",
"accountid": "112233445566",
"accesskeyid": "ASIASWJRT64Z7ZLFLJNI",
"sessioncontext":
{
"attributes":
{
"mfaauthenticated": "true",
"creationdate": "2021-01-24T04:55:10Z",
},
"sessionissuer":
{
"type": "Role",
"principalid": "ARORJ4ULULLE0EEJAAKDO",
"arn": "arn:aws:iam::112233445566:role/TestAdmin",
"accountid": "112233445566",
"username": "TestAdmin",
},
},
},
"p_event_time": "2021-01-24 04:55:45.000",
"p_parse_time": "2021-01-24 05:02:58.358",
"p_log_type": "AWS.CloudTrail",
"p_row_id": "1a57ff7ade26aaf5a1a4d7d20775",
"p_source_id": "e55677c6-7ef5-4541-a443-0d0f17eec19f",
"p_source_label": "CloudTrail Test",
"p_any_ip_addresses": ["136.25.37.134"],
"p_any_aws_account_ids": ["112233445566"],
"p_any_aws_arns":
[
"arn:aws:iam::112233445566:role/TestAdmin",
" arn:aws:sts::112233445566:assumed-role/TestAdmin/alan",
],
}
Detection logic
Condition
not (errorCode is_not_null or errorMessage is_not_null)
eventName in ["CreateSecurityGroup", "AuthorizeSecurityGroupIngress", "AuthorizeSecurityGroupEgress"]
recipientAccountId in ["11111111111111", "112233445566"]
not (userAgent wildcard "* HashiCorp/?.0 Terraform/*" and (userIdentity.arn contains "Operator" or userIdentity.arn contains "ContinousDeployment"))
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
userIdentity.arn | contains | ContinousDeployment |
userIdentity.arn | contains | Operator |
userAgent | match | HashiCorp/?.0 Terraform/ |
errorCode | is_not_null | |
errorMessage | is_not_null |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
eventName | in |
|
recipientAccountId | in |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field |
|---|
eventName |
eventSource |
awsRegion |
recipientAccountId |
sourceIPAddress |
userAgent |
userIdentity |