Detection rules › Panther
AWS Macie Disabled/Updated
Amazon Macie is a data security and data privacy service to discover and protect sensitive data. Security teams use Macie to detect open S3 Buckets that could have potentially sensitive data in it along with policy violations, such as missing Encryption. If an attacker disables Macie, it could potentially hide data exfiltration.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Stealth | T1562 Impair Defenses |
Rule body yaml
AnalysisType: rule
Filename: aws_macie_evasion.py
RuleID: "AWS.Macie.Evasion"
DisplayName: "AWS Macie Disabled/Updated"
Enabled: true
LogTypes:
- AWS.CloudTrail
Reports:
MITRE ATT&CK:
- "TA0005:T1562" # Tactic ID:Technique ID (https://attack.mitre.org/tactics/enterprise/)
Severity: Medium
Description: >
Amazon Macie is a data security and data privacy service to discover and protect sensitive data.
Security teams use Macie to detect open S3 Buckets that could have potentially sensitive data in it along with
policy violations, such as missing Encryption. If an attacker disables Macie, it could potentially hide data exfiltration.
Reference: https://aws.amazon.com/macie/
Runbook: |
Analyze the events to ensure it's not normal maintenance.
If it's abnormal, run the Indicator Search on the UserIdentity:Arn for the past hour and analyze other services accessed/changed.
DedupPeriodMinutes: 60
Threshold: 5
SummaryAttributes:
- awsRegion
- eventName
- p_any_aws_arns
- p_any_ip_addresses
- userIdentity:type
- userIdentity:arn
Tests:
- Name: ListMembers
ExpectedResult: false
Log:
{
"awsRegion": "us-west-1",
"eventCategory": "Management",
"eventID": "5b3e4cf6-c37d-4c8c-9016-b8444a37ceaa",
"eventName": "ListMembers",
"eventSource": "macie2.amazonaws.com",
"eventTime": "2022-09-27 18:11:33",
"eventType": "AwsApiCall",
"eventVersion": "1.08",
"managementEvent": true,
"p_any_aws_account_ids": ["123456789012"],
"p_any_aws_arns":
[
"arn:aws:iam::123456789012:role/Admin",
"arn:aws:sts::123456789012:assumed-role/Admin/Jack",
],
"p_any_ip_addresses": ["178.253.78.209"],
"p_any_trace_ids": ["AAAASSSST64ZTHFY7777"],
"p_event_time": "2022-09-27 18:11:33",
"p_log_type": "AWS.CloudTrail",
"p_parse_time": "2022-09-27 18:16:43.428",
"p_row_id": "665d45a409cad7d68ff7bbd4138d02",
"p_source_id": "b00eb354-da7a-49dd-9cc6-32535e32096a",
"p_source_label": "CloudTrail Test",
"readOnly": true,
"recipientAccountId": "123456789012",
"requestID": "2164bbea-3eb0-444b-8e10-8ba53b3460b6",
"requestParameters": { "maxResults": "1", "onlyAssociated": "true" },
"sourceIPAddress": "178.253.78.209",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36",
"userIdentity":
{
"accessKeyId": "AAAASSSST64ZTHFY7777",
"accountId": "123456789012",
"arn": "arn:aws:sts::123456789012:assumed-role/Admin/Jack",
"principalId": "AAAAA44444LE6DYFKKKKK:Jack",
"sessionContext":
{
"attributes":
{
"creationDate": "2022-09-27T17:56:01Z",
"mfaAuthenticated": "true",
},
"sessionIssuer":
{
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:role/Admin",
"principalId": "AAAAA44444LE6DYFKKKKK",
"type": "Role",
"userName": "Admin",
},
"webIdFederationData": {},
},
"type": "AssumedRole",
},
}
- Name: UpdateSession # The title of the test
ExpectedResult: true # If the sample event should generate an alert or not
Log:
{
"awsRegion": "us-east-2",
"eventCategory": "Management",
"eventID": "63033dfd-08c9-42f3-80ae-dca45e86ae84",
"eventName": "UpdateMacieSession",
"eventSource": "macie2.amazonaws.com",
"eventTime": "2022-09-27 19:59:08",
"eventType": "AwsApiCall",
"eventVersion": "1.08",
"managementEvent": true,
"p_any_aws_account_ids": ["123456789012"],
"p_any_aws_arns":
[
"arn:aws:iam::123456789012:role/Admin",
"arn:aws:sts::123456789012:assumed-role/Admin/Jack",
],
"p_any_ip_addresses": ["46.91.25.204"],
"p_any_trace_ids": ["ASIASWJRT64Z42HFV6QX"],
"p_event_time": "2022-09-27 19:59:08",
"p_log_type": "AWS.CloudTrail",
"p_parse_time": "2022-09-27 20:02:43.816",
"p_row_id": "665d45a409cad7d68ff7bbd4138123",
"p_source_id": "b00eb354-da7a-49dd-9cc6-32535e32096a",
"p_source_label": "CloudTrail Test",
"readOnly": false,
"recipientAccountId": "123456789012",
"requestID": "1b9981dc-21d2-4f77-92b0-69e23c8a40de",
"requestParameters": { "findingPublishingFrequency": "SIX_HOURS" },
"sourceIPAddress": "46.91.25.204",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36",
"userIdentity":
{
"accessKeyId": "ASIASWJRT64Z42HFV6QX",
"accountId": "123456789012",
"arn": "arn:aws:sts::123456789012:assumed-role/Admin/Jack",
"principalId": "AAAAA44444LE6DYFKKKKK:Jack",
"sessionContext":
{
"attributes":
{
"creationDate": "2022-09-27T17:56:01Z",
"mfaAuthenticated": "true",
},
"sessionIssuer":
{
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:role/Admin",
"principalId": "AAAAA44444LE6DYFKKKKK",
"type": "Role",
"userName": "Admin",
},
"webIdFederationData": {},
},
"type": "AssumedRole",
},
}
- Name: UpdateSession (Macie v1 event) # The title of the test
ExpectedResult: true # If the sample event should generate an alert or not
Log:
{
"awsRegion": "us-east-2",
"eventCategory": "Management",
"eventID": "63033dfd-08c9-42f3-80ae-dca45e86ae84",
"eventName": "UpdateMacieSession",
"eventSource": "macie.amazonaws.com",
"eventTime": "2022-09-27 19:59:08",
"eventType": "AwsApiCall",
"eventVersion": "1.08",
"managementEvent": true,
"p_any_aws_account_ids": ["123456789012"],
"p_any_aws_arns":
[
"arn:aws:iam::123456789012:role/Admin",
"arn:aws:sts::123456789012:assumed-role/Admin/Jack",
],
"p_any_ip_addresses": ["46.91.25.204"],
"p_any_trace_ids": ["ASIASWJRT64Z42HFV6QX"],
"p_event_time": "2022-09-27 19:59:08",
"p_log_type": "AWS.CloudTrail",
"p_parse_time": "2022-09-27 20:02:43.816",
"p_row_id": "665d45a409cad7d68ff7bbd4138123",
"p_source_id": "b00eb354-da7a-49dd-9cc6-32535e32096a",
"p_source_label": "CloudTrail Test",
"readOnly": false,
"recipientAccountId": "123456789012",
"requestID": "1b9981dc-21d2-4f77-92b0-69e23c8a40de",
"requestParameters": { "findingPublishingFrequency": "SIX_HOURS" },
"sourceIPAddress": "46.91.25.204",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36",
"userIdentity":
{
"accessKeyId": "ASIASWJRT64Z42HFV6QX",
"accountId": "123456789012",
"arn": "arn:aws:sts::123456789012:assumed-role/Admin/Jack",
"principalId": "AAAAA44444LE6DYFKKKKK:Jack",
"sessionContext":
{
"attributes":
{
"creationDate": "2022-09-27T17:56:01Z",
"mfaAuthenticated": "true",
},
"sessionIssuer":
{
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:role/Admin",
"principalId": "AAAAA44444LE6DYFKKKKK",
"type": "Role",
"userName": "Admin",
},
"webIdFederationData": {},
},
"type": "AssumedRole",
},
}
Detection logic
Condition
eventName in ["ArchiveFindings", "CreateFindingsFilter", "DeleteMember", "DisassociateFromMasterAccount", "DisassociateMember", "DisableMacie", "DisableOrganizationAdminAccount", "UpdateFindingsFilter", "UpdateMacieSession", "UpdateMemberSession", "UpdateClassificationJob"]
eventSource wildcard "macie*.amazonaws.com"
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
eventName | in |
|
eventSource | wildcard |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
recipientAccountId | |
arn | userIdentity.arn |