Skip to content

Commit

Permalink
added "AWS.CloudTrail.DNSLogsDeleted"
Browse files Browse the repository at this point in the history
  • Loading branch information
@ben-githubs
ben-githubs committed Nov 28, 2024
1 parent 93982fa commit a66d0d1
Show file tree
Hide file tree
Showing 2 changed files with 108 additions and 0 deletions.
18 changes: 18 additions & 0 deletions rules/aws_cloudtrail_rules/aws_dns_logs_deleted.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
from panther_aws_helpers import aws_cloudtrail_success, aws_rule_context, lookup_aws_account_name


def rule(event):
return (
aws_cloudtrail_success(event) and event.get("eventName") == "DeleteResolverQueryLogConfig"
)


def title(event):
account = event.deep_get("userIdentity", "accountId", default="<UNKNOWN ACCOUNT>")
region = event.get("awsRegion", "<UNKNOWN REGION>")
return f"DNS logs have been deleted in {lookup_aws_account_name(account)} in {region}"


def alert_context(event):
log_id = event.deep_get("requestParameters", "resolverQueryLogConfigId", "<UNKNOWN LOG ID>")
return aws_rule_context(event) | {"logId": log_id}
90 changes: 90 additions & 0 deletions rules/aws_cloudtrail_rules/aws_dns_logs_deleted.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
AnalysisType: rule
Filename: aws_dns_logs_deleted.py
RuleID: "AWS.CloudTrail.DNSLogsDeleted"
DisplayName: "AWS DNS Logs Deleted"
Enabled: true
LogTypes:
- AWS.CloudTrail
Severity: Low
Reports:
MITRE ATT&CK:
- TA0005:T1562.008 # Defense Evasion: Disable or Modify Cloud Logs
Description: "Detects when logs for a DNS Resolver have been removed."
Reference:
hhttps://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.dns-delete-logs/
Runbook: Determine if the log removal to is legitimate.
Tags:
- AWS
- Cloudtrail
- Defense Evasion
- Impair Defenses
- Disable or Modify Cloud Logs
- Defense Evasion:Impair Defenses
- Security Control
Tests:
- Name: Logs Deleted
ExpectedResult: true
Log:
{
"p_event_time": "2024-11-27 18:18:58.000000000",
"p_log_type": "AWS.CloudTrail",
"p_parse_time": "2024-11-27 18:25:54.213480847",
"awsRegion": "us-west-2",
"eventCategory": "Management",
"eventID": "27e6be30-7c86-4544-b0e0-a60b0c927887",
"eventName": "DeleteResolverQueryLogConfig",
"eventSource": "route53resolver.amazonaws.com",
"eventTime": "2024-11-27 18:18:58.000000000",
"eventType": "AwsApiCall",
"eventVersion": "1.08",
"managementEvent": true,
"readOnly": false,
"recipientAccountId": "111122223333",
"requestID": "a45a0f04-8911-4c95-a9d7-3fead8a9bc45",
"requestParameters": {
"originSequenceNumber": 0,
"resolverQueryLogConfigId": "rqlc-5aa596fe3bd84ec6"
},
"responseElements": {
"resolverQueryLogConfig": {
"arn": "arn:aws:route53resolver:us-west-2:111122223333:resolver-query-log-config/rqlc-5aa596fe3bd84ec6",
"associationCount": 0,
"creationTime": "2024-11-27T18:18:56.881520365Z",
"creatorRequestId": "tf-r53-resolver-query-log-config-20241127181856499800000001",
"destinationArn": "arn:aws:s3:::sample-bucket-name",
"id": "rqlc-5aa596fe3bd84ec6",
"name": "sample-config-name",
"ownerId": "111122223333",
"shareStatus": "NOT_SHARED",
"status": "DELETING"
}
},
"sourceIPAddress": "1.2.3.4",
"tlsDetails": {
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "route53resolver.us-west-2.amazonaws.com",
"tlsVersion": "TLSv1.3"
},
"userAgent": "stratus-red-team_dbac929e-ae11-4539-8753-35dbcbbc3256",
"userIdentity": {
"accessKeyId": "SAMPLE_ACCESS_KEY",
"accountId": "111122223333",
"arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/leroy.jenkins",
"principalId": "SAMPLE_PRINCIPAL_ID:leroy.jenkins",
"sessionContext": {
"attributes": {
"creationDate": "2024-11-27T18:17:21Z",
"mfaAuthenticated": "false"
},
"sessionIssuer": {
"accountId": "111122223333",
"arn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-west-2/SampleRole",
"principalId": "SAMPLE_PRINCIPAL_ID",
"type": "Role",
"userName": "SampleRole"
},
"webIdFederationData": {}
},
"type": "AssumedRole"
}
}

0 comments on commit a66d0d1

Please sign in to comment.