[Rule Tuning] AWS EC2 User Data Retrieval for EC2 Instance

detection_rules/etc/non-ecs-schema.json

@@ -169,6 +169,7 @@
  "aws.cloudtrail.flattened.request_parameters.clientToken": "keyword",
  "aws.cloudtrail.flattened.response_elements.s3BucketName": "keyword",
  "aws.cloudtrail.flattened.response_elements.tableArn": "keyword",
+ "aws.cloudtrail.flattened.request_parameters.attribute": "keyword",
  "aws.cloudtrail.flattened.request_parameters.reason": "keyword",
  "aws.cloudtrail.flattened.request_parameters.omitted": "keyword",
  "aws.cloudtrail.flattened.request_parameters.ownersSet.items.owner": "keyword"

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.2.17"
+version = "1.2.18"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"

rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml

@@ -2,19 +2,18 @@
 creation_date = "2024/04/14"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/06/17"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies discovery request `DescribeInstanceAttribute` with the attribute userData and instanceId in AWS CloudTrail
+Identifies discovery request DescribeInstanceAttribute with the attribute userData and instanceId in AWS CloudTrail
 logs. This may indicate an attempt to retrieve user data from an EC2 instance. Adversaries may use this information to
 gather sensitive data from the instance such as hardcoded credentials or to identify potential vulnerabilities. This is
-a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that
-identifies when `aws.cloudtrail.user_identity.arn` requests the user data for a specific
-`aws.cloudtrail.flattened.request_parameters.instanceId` from an EC2 instance in the last 14 days.
+a New Terms rule that identifies the first time an IAM user or role requests the user data for a specific EC2 instance.
 """
-from = "now-9m"
+from = "now-6m"
+interval = "5m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 language = "kuery"
 license = "Elastic License v2"
@@ -36,12 +35,7 @@ This rule detects requests to retrieve the `userData` attribute of an EC2 instan
  - **User Identity**: Inspect the `aws.cloudtrail.user_identity.arn` field to identify the user or role that executed the `DescribeInstanceAttribute` action. Investigate whether this user typically performs such actions.
  - **Access Patterns**: Validate whether the user or role has the necessary permissions and whether the frequency of this action aligns with expected behavior.
  - **Access Key ID**: Check the `aws.cloudtrail.user_identity.access_key_id` field to determine the key used to make the request as it may be compromised.
-
-- **Analyze Request Details**:
- - **Parameters**: Verify that the `attribute=userData` parameter was explicitly requested. This indicates intentional access to user data.
  - **Source IP and Geolocation**: Check the `source.address` and `source.geo` fields to validate whether the request originated from a trusted location or network. Unexpected geolocations can indicate adversarial activity.
-
-- **Review Source Tool**:
  - **User Agent**: Inspect the `user_agent.original` field to determine the tool or client used (e.g., Terraform, AWS CLI). Legitimate automation tools may trigger this activity, but custom or unknown user agents may indicate malicious intent.
 
 - **Check for Related Activity**:
@@ -94,13 +88,29 @@ event.dataset: "aws.cloudtrail"
  and event.provider: "ec2.amazonaws.com"
  and event.action: "DescribeInstanceAttribute"
  and event.outcome: "success"
- and aws.cloudtrail.request_parameters: (*attribute=userData* and *instanceId*)
+ and aws.cloudtrail.flattened.request_parameters.attribute: "userData"
  and not aws.cloudtrail.user_identity.invoked_by: (
  "AWS Internal" or
  "cloudformation.amazonaws.com"
  )
 '''
 
+[rule.investigation_fields]
+field_names = [
+ "@timestamp",
+ "user.name",
+ "user_agent.original",
+ "source.ip",
+ "aws.cloudtrail.user_identity.arn",
+ "aws.cloudtrail.user_identity.type",
+ "aws.cloudtrail.user_identity.access_key_id",
+ "event.action",
+ "event.outcome",
+ "cloud.account.id",
+ "cloud.region",
+ "aws.cloudtrail.request_parameters",
+ "aws.cloudtrail.response_elements"
+]
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
@@ -134,7 +144,7 @@ reference = "https://attack.mitre.org/tactics/TA0006/"
 
 [rule.new_terms]
 field = "new_terms_fields"
-value = ["aws.cloudtrail.user_identity.arn", "aws.cloudtrail.flattened.request_parameters.instanceId"]
+value = ["user.name", "aws.cloudtrail.flattened.request_parameters.instanceId"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
 value = "now-14d"