elastic
[Rule Tunings] AWS Multiple API Calls ESQL rules
Pull Request
Issue link(s):
- https://github.com/elastic/ia-trade-team/issues/616
Summary - What I changed
AWS EC2 Multi-Region DescribeInstances API Calls Over 2,000 alerts in the last 24 hours. This is a very noisy rule, by design it is alerting on quite normal behavior. There is not much in-the-wild threat behavior that justifies keeping this rule as a standalone alert. As a threat indicator, this is best used as a hunting rule or in correlation with another rule, for example: (GetCallerIdentity new terms + multi region DescribeInstances by same principal) or (Multiple Discovery API calls + multi region DescribeInstances by same principal) or (multi region DescribeInstances + snapshot/AMI activity by same principal). However, on its own it’s not adding much value over the noise.
- I’m keeping this as ESQL rule but converting it to a BBR
- keeping more fields for further context
- Changing investigation guide to be more relevant for hunting/correlation rule
AWS Discovery API Calls via CLI from a Single Resource This rule is alerting as expected with low telemetry. It has to remain an ESQL rule as no other rule types can truncate the time window to 10 sec looking for a threshold of unique API calls coming from a single user.
- Keeping as ESQL rule
- Reduced execution window
- Keeping more fields for further context
- Adding highlighted fields
- Updated Investigation guide
- Changed the toml file name to be more accurate as this rule does not only look at ec2 service discovery
How To Test
Plenty of data in our test stack to run queries against. Script for the AWS Discovery API Calls rule. It is very extensive in the API calls it makes, I wanted this script to be a bit more realistic and trigger across many different services.
