MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Stealth | T1562 Impair Defenses |
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
Rule body yaml
AnalysisType: rule
Filename: aws_ec2_security_group_modified.py
RuleID: "AWS.EC2.SecurityGroupModified"
DisplayName: "EC2 Security Group Modified"
Enabled: true
LogTypes:
- AWS.CloudTrail
Tags:
- AWS
- Security Control
- Defense Evasion:Impair Defenses
Reports:
CIS:
- 3.10
MITRE ATT&CK:
- TA0005:T1562
Stratus Red Team:
- aws.exfiltration.ec2-security-group-open-port-22-ingress
Severity: Info
DedupPeriodMinutes: 720 # 12 hours
Description: >
An EC2 Security Group was modified.
Runbook: https://docs.runpanther.io/alert-runbooks/built-in-rules/aws-ec2-securitygroup-modified
Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html
SummaryAttributes:
- eventName
- userAgent
- sourceIpAddress
- recipientAccountId
- p_any_aws_arns
Tests:
- Name: Security Group Modified
ExpectedResult: true
Log:
{
"eventVersion": "1.05",
"userIdentity":
{
"type": "AssumedRole",
"principalId": "1111:tester",
"arn": "arn:aws:sts::123456789012:assumed-role/tester",
"accountId": "123456789012",
"accessKeyId": "1",
"sessionContext":
{
"sessionIssuer":
{
"type": "Role",
"principalId": "1111",
"arn": "arn:aws:iam::123456789012:role/tester",
"accountId": "123456789012",
"userName": "tester",
},
"webIdFederationData": {},
"attributes":
{
"mfaAuthenticated": "true",
"creationDate": "2019-01-01T00:00:00Z",
},
},
},
"eventTime": "2019-01-01T00:00:00Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "AuthorizeSecurityGroupIngress",
"awsRegion": "us-west-2",
"sourceIPAddress": "111.111.111.111",
"userAgent": "console.ec2.amazonaws.com",
"requestParameters":
{
"groupId": "sg-1",
"ipPermissions":
{
"items":
[
{
"ipProtocol": "tcp",
"fromPort": 22,
"toPort": 22,
"groups": {},
"ipRanges":
{
"items":
[
{
"cidrIp": "127.0.0.1/32",
"description": "SSH for me",
},
],
},
"ipv6Ranges": {},
"prefixListIds": {},
},
],
},
},
"responseElements": { "requestID": "1", "_return": true },
"requestID": "1",
"eventID": "1",
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012",
}
- Name: Security Group Not Modified
ExpectedResult: false
Log:
{
"eventVersion": "1.05",
"userIdentity":
{
"type": "AssumedRole",
"principalId": "1111:tester",
"arn": "arn:aws:sts::123456789012:assumed-role/tester",
"accountId": "123456789012",
"accessKeyId": "1",
"sessionContext":
{
"sessionIssuer":
{
"type": "Role",
"principalId": "1111",
"arn": "arn:aws:iam::123456789012:role/tester",
"accountId": "123456789012",
"userName": "tester",
},
"webIdFederationData": {},
"attributes":
{
"mfaAuthenticated": "false",
"creationDate": "2019-01-01T00:00:00Z",
},
},
},
"eventTime": "2019-01-01T00:00:00Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "DescribeSecurityGroups",
"awsRegion": "us-west-2",
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla",
"requestParameters":
{
"securityGroupSet": {},
"securityGroupIdSet": {},
"filterSet":
{
"items":
[
{
"name": "vpc-id",
"valueSet": { "items": [{ "value": "vpc-1" }] },
},
],
},
},
"responseElements": null,
"requestID": "1",
"eventID": "1",
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012",
}
- Name: Error Mofidying Security Group
ExpectedResult: false
Log:
{
"errorCode": "RequestExpired",
"eventVersion": "1.05",
"userIdentity":
{
"type": "AssumedRole",
"principalId": "1111:tester",
"arn": "arn:aws:sts::123456789012:assumed-role/tester",
"accountId": "123456789012",
"accessKeyId": "1",
"sessionContext":
{
"sessionIssuer":
{
"type": "Role",
"principalId": "1111",
"arn": "arn:aws:iam::123456789012:role/tester",
"accountId": "123456789012",
"userName": "tester",
},
"webIdFederationData": {},
"attributes":
{
"mfaAuthenticated": "true",
"creationDate": "2019-01-01T00:00:00Z",
},
},
},
"eventTime": "2019-01-01T00:00:00Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "AuthorizeSecurityGroupIngress",
"awsRegion": "us-west-2",
"sourceIPAddress": "111.111.111.111",
"userAgent": "console.ec2.amazonaws.com",
"requestParameters":
{
"groupId": "sg-1",
"ipPermissions":
{
"items":
[
{
"ipProtocol": "tcp",
"fromPort": 22,
"toPort": 22,
"groups": {},
"ipRanges":
{
"items":
[
{
"cidrIp": "127.0.0.1/32",
"description": "SSH for me",
},
],
},
"ipv6Ranges": {},
"prefixListIds": {},
},
],
},
},
"responseElements": { "requestID": "1", "_return": true },
"requestID": "1",
"eventID": "1",
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012",
}
Detection logic
Condition
not (errorCode is_not_null or errorMessage is_not_null)
eventName in ["AuthorizeSecurityGroupIngress", "AuthorizeSecurityGroupEgress", "RevokeSecurityGroupIngress", "RevokeSecurityGroupEgress", "CreateSecurityGroup", "DeleteSecurityGroup"]
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
errorCode | is_not_null | |
errorMessage | is_not_null |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
eventName | in |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field |
|---|
eventName |
eventSource |
awsRegion |
recipientAccountId |
sourceIPAddress |
userAgent |
userIdentity |