AWS EFS File System or Mount Deleted

Elastic Stack Serverless Security

Detects when a EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System.

Rule type: query

Rule indices:

• filebeat-*
• logs-aws*

Severity: medium

Risk score: 47

Runs every: 10m

Searches indices from: now-60m (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References:

• https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html
• https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html

Tags:

• Elastic
• Cloud
• AWS
• Continuous Monitoring
• SecOps
• Data Protection

Version: 1

Rule authors:

• Austin Songer

Rule license: Elastic License v2

The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and
event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success

Framework: MITRE ATT&CKTM

• Tactic:

  • Name: Impact
  • ID: TA0040
  • Reference URL: https://attack.mitre.org/tactics/TA0040/

• Technique:

  • Name: Data Destruction
  • ID: T1485
  • Reference URL: https://attack.mitre.org/techniques/T1485/