AWSCloudTrail - Changes to AWS Security Group ingress and egress settings

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

A Security Group acts as a virtual firewall for an AWS instance to control inbound and outbound traffic. This rule detects AWS CloudTrail events for changes to Security Group ingress and egress settings. Investigate to validate the legitimacy of the activity and identify potential malicious activity.

Attribute	Value
Type	Analytic Rule
Solution	Amazon Web Services
ID	4f19d4e3-ec5f-4abc-9e61-819eb131758c
Severity	Low
Status	Available
Kind	Scheduled
Tactics	DefenseEvasion
Techniques	T1562.007
Required Connectors	AWS, AWSS3
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
AWSCloudTrail	EventName in "AuthorizeSecurityGroupEgress,AuthorizeSecurityGroupIngress,RevokeSecurityGroupEgress,RevokeSecurityGroupIngress"	✓	✓	✓

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Analytic Rules · Back to Amazon Web Services