Detection rules › Panther
Account Security Configuration Changed
An account wide security configuration was changed.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Stealth | T1562 Impair Defenses |
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
- ASL AWS Defense Evasion Delete Cloudtrail (Splunk)
- ASL AWS Defense Evasion Stop Logging Cloudtrail (Splunk)
- AWS Config Service Disabled (Panther)
- AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity (Elastic)
- AWS VPC Flow Logs Deleted (Sigma)
- AWS VPC Flow Logs Removed (Panther)
- AWSCloudTrail - AWS GuardDuty detector disabled or suspended (Kusto)
- AWSCloudTrail - Changes made to AWS CloudTrail logs (Kusto)
Rule body yaml
AnalysisType: rule
Filename: aws_security_configuration_change.py
RuleID: "AWS.CloudTrail.SecurityConfigurationChange"
DisplayName: "Account Security Configuration Changed"
Enabled: true
LogTypes:
- AWS.CloudTrail
Tags:
- AWS
- Defense Evasion:Impair Defenses
Severity: Medium
Reports:
MITRE ATT&CK:
- TA0005:T1562
Stratus Red Team:
- aws.defense-evasion.cloudtrail-delete
- aws.defense-evasion.cloudtrail-stop
- aws.defense-evasion.vpc-remove-flow-logs
Description: An account wide security configuration was changed.
Runbook: >
Verify that this change was planned. If not, revert the change and update the access control policies to ensure this doesn't happen again.
Reference: https://docs.aws.amazon.com/prescriptive-guidance/latest/aws-startup-security-baseline/controls-acct.html
SummaryAttributes:
- eventName
- userAgent
- sourceIpAddress
- recipientAccountId
- p_any_aws_arns
Tests:
- Name: Security Configuration Changed
ExpectedResult: true
Log:
{
"awsRegion": "us-west-2",
"eventID": "1111",
"eventName": "DeleteTrail",
"eventSource": "cloudtrail.amazonaws.com",
"eventTime": "2019-01-01T00:00:00Z",
"eventType": "AwsApiCall",
"eventVersion": "1.05",
"readOnly": false,
"recipientAccountId": "123456789012",
"requestID": "1111",
"requestParameters": { "name": "example-trail" },
"responseElements": null,
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla/2.0 (compatible; NEWT ActiveX; Win32)",
"userIdentity":
{
"accessKeyId": "1111",
"accountId": "123456789012",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-user",
"invokedBy": "cloudformation.amazonaws.com",
"principalId": "1111",
"sessionContext":
{
"attributes":
{
"creationDate": "2019-01-01T00:00:00Z",
"mfaAuthenticated": "true",
},
"sessionIssuer":
{
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:role/example-role",
"principalId": "1111",
"type": "Role",
"userName": "example-role",
},
"webIdFederationData": {},
},
"type": "AssumedRole",
},
}
- Name: Security Configuration Not Changed
ExpectedResult: false
Log:
{
"awsRegion": "us-west-2",
"eventID": "1111",
"eventName": "DescribeTrail",
"eventSource": "cloudtrail.amazonaws.com",
"eventTime": "2019-01-01T00:00:00Z",
"eventType": "AwsApiCall",
"eventVersion": "1.05",
"readOnly": false,
"recipientAccountId": "123456789012",
"requestID": "1111",
"requestParameters": { "name": "example-trail" },
"responseElements": null,
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla/2.0 (compatible; NEWT ActiveX; Win32)",
"userIdentity":
{
"accessKeyId": "1111",
"accountId": "123456789012",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-user",
"invokedBy": "cloudformation.amazonaws.com",
"principalId": "1111",
"sessionContext":
{
"attributes":
{
"creationDate": "2019-01-01T00:00:00Z",
"mfaAuthenticated": "true",
},
"sessionIssuer":
{
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:role/example-role",
"principalId": "1111",
"type": "Role",
"userName": "example-role",
},
"webIdFederationData": {},
},
"type": "AssumedRole",
},
}
- Name: Non Security Configuration Change
ExpectedResult: false
Log:
{
"awsRegion": "us-west-2",
"eventID": "1111",
"eventName": "PutPolicy",
"eventSource": "iam.amazonaws.com",
"eventTime": "2019-01-01T00:00:00Z",
"eventType": "AwsApiCall",
"eventVersion": "1.05",
"readOnly": false,
"recipientAccountId": "123456789012",
"requestID": "1111",
"requestParameters": { "name": "example-trail" },
"responseElements": null,
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla/2.0 (compatible; NEWT ActiveX; Win32)",
"userIdentity":
{
"accessKeyId": "1111",
"accountId": "123456789012",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-user",
"invokedBy": "cloudformation.amazonaws.com",
"principalId": "1111",
"sessionContext":
{
"attributes":
{
"creationDate": "2019-01-01T00:00:00Z",
"mfaAuthenticated": "true",
},
"sessionIssuer":
{
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:role/example-role",
"principalId": "1111",
"type": "Role",
"userName": "example-role",
},
"webIdFederationData": {},
},
"type": "AssumedRole",
},
}
- Name: Security Configuration Not Changed - Error
ExpectedResult: false
Log:
{
"awsRegion": "us-west-2",
"errorCode": "ConflictException",
"eventID": "1111",
"eventName": "DeleteTrail",
"eventSource": "cloudtrail.amazonaws.com",
"eventTime": "2019-01-01T00:00:00Z",
"eventType": "AwsApiCall",
"eventVersion": "1.05",
"readOnly": false,
"recipientAccountId": "123456789012",
"requestID": "1111",
"requestParameters": { "name": "example-trail" },
"responseElements": null,
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla/2.0 (compatible; NEWT ActiveX; Win32)",
"userIdentity":
{
"accessKeyId": "1111",
"accountId": "123456789012",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-user",
"invokedBy": "cloudformation.amazonaws.com",
"principalId": "1111",
"sessionContext":
{
"attributes":
{
"creationDate": "2019-01-01T00:00:00Z",
"mfaAuthenticated": "true",
},
"sessionIssuer":
{
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:role/example-role",
"principalId": "1111",
"type": "Role",
"userName": "example-role",
},
"webIdFederationData": {},
},
"type": "AssumedRole",
},
}
- Name: Security Configuration Changed - Allowlisted User
ExpectedResult: false
Mocks:
- {
"objectName": "ALLOW_LIST",
"returnValue": '[{"userName": "ExampleUser", "eventName": "DeleteRule"}]',
}
Log:
{
"awsRegion": "us-west-2",
"eventID": "1111",
"eventName": "DeleteRule",
"eventSource": "cloudtrail.amazonaws.com",
"eventTime": "2019-01-01T00:00:00Z",
"eventType": "AwsApiCall",
"eventVersion": "1.05",
"readOnly": false,
"recipientAccountId": "123456789012",
"requestID": "1111",
"requestParameters": { "name": "example-trail" },
"responseElements": null,
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla/2.0 (compatible; NEWT ActiveX; Win32)",
"userIdentity":
{
"accessKeyId": "1111",
"accountId": "123456789012",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-user",
"invokedBy": "cloudformation.amazonaws.com",
"principalId": "1111",
"sessionContext":
{
"attributes":
{
"creationDate": "2019-01-01T00:00:00Z",
"mfaAuthenticated": "true",
},
"sessionIssuer":
{
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:role/example-role",
"principalId": "1111",
"type": "Role",
"userName": "ExampleUser",
},
"webIdFederationData": {},
},
"type": "AssumedRole",
},
}
Detection logic
Condition
not (errorCode is_not_null or errorMessage is_not_null)
(eventName eq "UpdateDetector" and requestParameters.enable is_null) or eventName in ["DeleteAccountPublicAccessBlock", "DeleteDeliveryChannel", "DeleteDetector", "DeleteFlowLogs", "DeleteRule", "DeleteTrail", "DisableEbsEncryptionByDefault", "DisableRule", "StopConfigurationRecorder", "StopLogging"]
This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
errorCode | is_not_null | |
errorMessage | is_not_null |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
eventName | eq |
|
eventName | in |
|
requestParameters.enable | is_null |
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field |
|---|
eventName |
eventSource |
awsRegion |
recipientAccountId |
sourceIPAddress |
userAgent |
userIdentity |
actor_user |