[Rule Tunings] AWS Cloudtrail Created/Updated/Suspended/Deleted

rules/integrations/aws/collection_cloudtrail_logging_created.toml

@@ -2,21 +2,25 @@
 creation_date = "2020/06/10"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/11/07"
 
 [rule]
 author = ["Elastic"]
-description = "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data."
+description = """
+Detects creation of a new AWS CloudTrail trail via CreateTrail API. While legitimate during onboarding or auditing
+improvements, adversaries can create trails that write to attacker-controlled destinations, limit regions, or otherwise
+subvert monitoring objectives. New trails should be validated for destination ownership, encryption, multi-region
+coverage, and organizational scope.
+"""
 false_positives = [
     """
     Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent,
     and/or hostname should be making changes in your environment. Trail creations by unfamiliar users or hosts should be
     investigated. If known behavior is causing false positives, it can be exempted from the rule.
     """,
 ]
-from = "now-60m"
+from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
-interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS CloudTrail Log Created"
@@ -27,37 +31,40 @@ note = """## Triage and analysis
 
 ### Investigating AWS CloudTrail Log Created
 
-AWS CloudTrail is a service that enables governance, compliance, and operational and risk auditing of your AWS account. It logs API calls and related events, providing visibility into user activity. Adversaries may create new trails to capture sensitive data or cover their tracks. The detection rule identifies successful trail creation, signaling potential unauthorized activity, aiding in early threat detection.
+AWS CloudTrail is a service that enables governance, compliance, and operational and risk auditing of your AWS account. It logs API calls and related events, providing visibility into user activity. Adversaries may create new trails to capture sensitive data or cover their tracks. This detection identifies
+`CreateTrail` calls so responders can verify destination ownership, encryption, and scope before accepting the change.
 
-### Possible investigation steps
+#### Possible investigation steps
 
-- Review the AWS CloudTrail logs to identify the user or role associated with the CreateTrail event by examining the user identity information in the event logs.
-- Check the time and date of the CreateTrail event to determine if it aligns with any known maintenance or administrative activities.
-- Investigate the configuration of the newly created trail to understand what specific log data it is set to capture and where it is being delivered.
-- Assess whether the trail creation was authorized by cross-referencing with change management records or by contacting relevant personnel.
-- Analyze other recent AWS CloudTrail events associated with the same user or role to identify any suspicious or unusual activities that may indicate malicious intent.
-- Evaluate the permissions and access policies of the user or role involved in the event to ensure they align with the principle of least privilege.
+- **Identify the actor and context**
+  - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, `user_agent.original`, `source.ip`.
+  - Confirm a related change request exists (onboarding, architecture change).
+- **Validate trail configuration**
+  - In `aws.cloudtrail.request_parameters`, verify:
+    - `S3BucketName`/`CloudWatchLogsLogGroupArn` belong to your org (no external accounts).
+    - `IsMultiRegionTrail=true` and `IncludeGlobalServiceEvents=true` (as per your standard).
+    - `KmsKeyId` is an approved CMK; log file validation enabled.
+- **Correlate activity**
+  - Look for `PutEventSelectors`, `PutInsightSelectors`, `StartLogging` following creation.
+  - Check for prior enumeration: `DescribeTrails`, `ListBuckets`, `GetEventSelectors`.
 
 ### False positive analysis
-
-- Routine administrative actions by authorized personnel can trigger this rule. Regularly review and document legitimate trail creation activities to differentiate them from unauthorized actions.
-- Automated processes or scripts that create trails for compliance or monitoring purposes may cause false positives. Identify and whitelist these processes to prevent unnecessary alerts.
-- Third-party security tools or services that integrate with AWS and create trails for enhanced logging might be mistaken for suspicious activity. Verify these integrations and exclude them from the rule if they are part of your security strategy.
-- Changes in organizational policy or structure that require new trail creation can lead to false positives. Ensure that such changes are communicated to the security team to adjust the rule settings accordingly.
+- **Planned creation**: Onboarding or compliance initiatives often add trails. Validate via ticket and standard template.
+- **Automation**: IaC or control-tower pipelines may create trails on account bootstrap.
 
 ### Response and remediation
-
-- Immediately review the newly created CloudTrail log to verify its legitimacy. Check the user or service account that initiated the trail creation and confirm if it aligns with expected administrative activities.
-- If the trail creation is unauthorized, disable or delete the trail to prevent further data capture by potential adversaries.
-- Conduct a thorough audit of recent API calls and user activities associated with the account that created the trail to identify any other suspicious actions or configurations.
-- Escalate the incident to the security operations team for further investigation and to determine if additional AWS resources have been compromised.
-- Implement additional monitoring and alerting for any future unauthorized CloudTrail modifications or creations to enhance early detection capabilities.
-- Review and tighten IAM policies and permissions to ensure that only authorized personnel have the ability to create or modify CloudTrail configurations.
-- Consider enabling AWS CloudTrail log file integrity validation to ensure that log files have not been altered or deleted, providing an additional layer of security.
-
-## Setup
-
-The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+- **If unauthorized**
+  - Disable or delete the trail; verify and secure the destination S3/CloudWatch resources.
+  - Review the actor’s recent changes and rotate credentials if compromise is suspected.
+- **Hardening**
+  - Restrict `cloudtrail:CreateTrail` to admin roles.
+  - Use AWS Config / Security Hub controls to enforce multi-region, global events, and validated destinations.
+
+### Additional information
+- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
+- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
+- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
+"""
 references = [
     "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html",
     "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html",
@@ -69,6 +76,7 @@ tags = [
     "Domain: Cloud",
     "Data Source: AWS",
     "Data Source: Amazon Web Services",
+    "Data Source: AWS Cloudtrail",
     "Use Case: Log Auditing",
     "Tactic: Collection",
     "Resources: Investigation Guide",
@@ -77,7 +85,10 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success
+event.dataset: "aws.cloudtrail" 
+    and event.provider: "cloudtrail.amazonaws.com" 
+    and event.action: "CreateTrail" 
+    and event.outcome: "success"
 '''
 
 
@@ -94,3 +105,20 @@ id = "TA0009"
 name = "Collection"
 reference = "https://attack.mitre.org/tactics/TA0009/"
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+    "aws.cloudtrail.response_elements",
+]
+

rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml

@@ -2,71 +2,60 @@
 creation_date = "2020/05/26"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2024/11/07"
+updated_date = "2025/11/07"
 
 [rule]
 author = ["Elastic"]
-description = "Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses."
+description = """
+Detects deletion of an AWS CloudTrail trail via DeleteTrail API. Removing trails is a high-risk action that destroys an
+audit control plane and is frequently paired with other destructive or stealthy operations. Validate immediately and
+restore compliant logging.
+"""
 false_positives = [
     """
     Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent,
     and/or hostname should be making changes in your environment. Trail deletions by unfamiliar users or hosts should be
     investigated. If known behavior is causing false positives, it can be exempted from the rule.
     """,
 ]
-from = "now-60m"
+from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
-interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS CloudTrail Log Deleted"
 note = """## Triage and analysis
 
-### Investigating AWS CloudTrail Log Deleted
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-Amazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.
+### Investigating AWS CloudTrail Log Deleted
 
-This rule identifies the deletion of an AWS log trail using the API `DeleteTrail` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.
+AWS CloudTrail is a service that enables governance, compliance, and operational and risk auditing of your AWS account. It logs API calls and related events, providing visibility into user activity. This rule identifies the deletion of an AWS log trail using the `DeleteTrail` API. Deleting a trail can eliminate visibility and is a strong indicator of defense evasion or sabotage.
 
 #### Possible investigation steps
-
-- Identify the user account that performed the action and whether it should perform this kind of action.
-- Investigate other alerts associated with the user account during the past 48 hours.
-- Contact the account and resource owners and confirm whether they are aware of this activity.
-- Check if this operation was approved and performed according to the organization's change management policy.
-- Considering the source IP address and geolocation of the user who issued the command:
-    - Do they look normal for the user?
-    - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?
-    - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?
-- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.
-- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.
+- **Actor & target**
+  - Identify `aws.cloudtrail.user_identity.arn`, `user_agent.original`, `source.ip`.
+  - Confirm which trail was deleted (name/ARN, multi-region/organization status) from `aws.cloudtrail.request_parameters` or `target.entity.id`.
+- **Blast radius**
+  - Determine whether it was the only trail or if organization/multi-region coverage remains.
+  - Review preceding `StopLogging` or `UpdateTrail` and subsequent high-risk actions (IAM, S3, KMS, EC2 exports).
+- **Data preservation**
+  - Verify S3 destinations and CloudWatch log groups for retained historical logs and file integrity validation.
 
 ### False positive analysis
-
-- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and IP address conditions.
+- **Planned deletion**: Validate with tickets and decommissioning plans; ensure replacement/alternate trails exist.
 
 ### Response and remediation
-
-- Initiate the incident response process based on the outcome of the triage.
-- Disable or limit the account during the investigation and response.
-- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
-    - Identify the account role in the cloud environment.
-    - Assess the criticality of affected services and servers.
-    - Work with your IT team to identify and minimize the impact on users.
-    - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.
-    - Identify any regulatory or legal ramifications related to this activity.
-- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.
-- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.
-- Consider enabling multi-factor authentication for users.
-- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
-- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.
-- Take the actions needed to return affected systems, data, or services to their normal operational levels.
-- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
-- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
-
-## Setup
-
-The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+- Recreate or re-enable compliant multi-region (or organization) trails immediately.
+- Investigate the actor’s recent activity; rotate creds if compromise is suspected.
+- Validate destination bucket policies, CMK policies, and event selectors for all active trails.
+- Hardening: Restrict `cloudtrail:DeleteTrail` and enforce guardrails via AWS Config/SCPs; alert on future deletions.
+
+### Additional information
+- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
+- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
+- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
+"""
 references = [
     "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html",
     "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html",
@@ -78,6 +67,7 @@ tags = [
     "Domain: Cloud",
     "Data Source: AWS",
     "Data Source: Amazon Web Services",
+    "Data Source: AWS Cloudtrail",
     "Use Case: Log Auditing",
     "Resources: Investigation Guide",
     "Tactic: Defense Evasion",
@@ -86,26 +76,12 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:aws.cloudtrail
-    and event.provider:cloudtrail.amazonaws.com
-    and event.action:DeleteTrail
-    and event.outcome:success
+event.dataset: "aws.cloudtrail"
+    and event.provider: "cloudtrail.amazonaws.com"
+    and event.action: "DeleteTrail"
+    and event.outcome: "success"
 '''
 
-[rule.investigation_fields]
-field_names = [
-    "@timestamp",
-    "user.name",
-    "aws.cloudtrail.user_identity.arn",
-    "aws.cloudtrail.user_identity.type",
-    "source.address",
-    "user_agent.original",
-    "aws.cloudtrail.flattened.request_parameters.name",
-    "event.action",
-    "event.outcome",
-    "cloud.region",
-    "aws.cloudtrail.request_parameters"
-]
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
@@ -125,3 +101,20 @@ id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+]
+