From 0fc47df01346a96af91195310f1534ebf6fa1542 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Tue, 18 Nov 2025 19:44:45 -0500 Subject: [PATCH] [Deprecation] AWS Elasticache Security Group Rules ElastiCache cache security groups are only used with EC2-Classic deployments. AWS officially retired EC2-Classic and no longer supports launching ElastiCache clusters in EC2-Classic networking environments. All modern ElastiCache deployments run in a VPC and rely on standard EC2 security groups (ec2.amazonaws.com APIs) rather than CacheSecurityGroup APIs (elasticache.amazonaws.com). This behavior is covered by this existing rule: - https://github.com/elastic/detection-rules/blob/fe642a879a412db71492f5d776e1e3338a531266/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml These rules no longer match any behavior in supported AWS environments and so should be deprecated. This PR: - Marks both rules with `Deprecated - ` title to start deprecation process - Updates rule description to clarify that they are only relevant for historical EC2-Classic log analysis. - Recommends relying on the existing EC2 security group rule for network-control changes impacting ElastiCache in VPC-based deployments. I've tested this scenario by creating an Elasticache cluster, creating, and modifying security group rules. Below is a screenshot verifying that the activity is indeed captured by the normal EC2/VPC security group rule. There were no alerts triggered for the "Elasticache Security Group" Rules --- ...n_elasticache_security_group_creation.toml | 21 +++++++++++++----- ...he_security_group_modified_or_deleted.toml | 22 ++++++++++++++----- 2 files changed, 33 insertions(+), 10 deletions(-) diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml index 02e5fe297ef..9d696288386 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml @@ -2,11 +2,16 @@ creation_date = "2021/07/19" integration = ["aws"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/11/18" [rule] author = ["Austin Songer"] -description = "Identifies when an ElastiCache security group has been created." +description = """ +Identifies when an ElastiCache security group has been created. Amazon EC2-Classic and ElastiCache CacheSecurityGroups +have been retired. Modern ElastiCache deployments run in a VPC and use standard EC2 security groups instead. This rule +should be retained only for historical log analysis on legacy CloudTrail data. We recommend relying on "AWS EC2 Security +Group Configuration Change" rule for network-control changes impacting ElastiCache in VPC-based deployments. +""" false_positives = [ """ A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, @@ -20,13 +25,13 @@ index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" -name = "AWS ElastiCache Security Group Created" +name = "Deprecated - AWS ElastiCache Security Group Created" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating AWS ElastiCache Security Group Created +### Investigating Deprecated - AWS ElastiCache Security Group Created AWS ElastiCache security groups control access to cache clusters, ensuring only authorized traffic can interact with them. Adversaries might create new security groups to bypass existing restrictions, facilitating unauthorized access or data exfiltration. The detection rule monitors for successful creation events of these groups, signaling potential defense evasion tactics by identifying unusual or unauthorized configurations. @@ -66,7 +71,13 @@ references = [ risk_score = 21 rule_id = "7b3da11a-60a2-412e-8aa7-011e1eb9ed47" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml index 0ab5a41ff84..2fafeb32415 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml @@ -2,11 +2,17 @@ creation_date = "2021/07/19" integration = ["aws"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/11/18" [rule] author = ["Austin Songer"] -description = "Identifies when an ElastiCache security group has been modified or deleted." +description = """ +Identifies when an ElastiCache security group has been modified or deleted. Amazon EC2-Classic and ElastiCache +CacheSecurityGroups have been retired. Modern ElastiCache deployments run in a VPC and use standard EC2 security groups +instead. This rule should be retained only for historical log analysis on legacy CloudTrail data. We recommend relying +on "AWS EC2 Security Group Configuration Change" rule for network-control changes impacting ElastiCache in VPC-based +deployments. +""" false_positives = [ """ A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user @@ -20,13 +26,13 @@ index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" -name = "AWS ElastiCache Security Group Modified or Deleted" +name = "Deprecated - AWS ElastiCache Security Group Modified or Deleted" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating AWS ElastiCache Security Group Modified or Deleted +### Investigating Deprecated - AWS ElastiCache Security Group Modified or Deleted AWS ElastiCache security groups control inbound and outbound traffic to cache clusters, ensuring only authorized access. Adversaries may modify or delete these groups to bypass security controls, facilitating unauthorized data access or exfiltration. The detection rule monitors specific API actions related to security group changes, flagging successful modifications or deletions as potential defense evasion attempts. @@ -64,7 +70,13 @@ references = ["https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference risk_score = 21 rule_id = "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516" severity = "low" -tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query"