AWS Route Table Modified or Deleted
editAWS Route Table Modified or Deleted
editIdentifies when an AWS Route Table has been modified or deleted.
Rule type: query
Rule indices:
- filebeat-*
- logs-aws*
Severity: low
Risk score: 21
Runs every: 10m
Searches indices from: now-60m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
- https://github.com/easttimor/aws-incident-response#network-routing
- https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-route-table-modified
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html
Tags:
- Elastic
- Cloud
- AWS
- Continuous Monitoring
- SecOps
- Network Security
Version: 2
Rule authors:
- Elastic
- Austin Songer
Rule license: Elastic License v2
Investigation guide
edit## Config The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
Rule query
editevent.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/