Detectionmediumtest

AWS EFS Fileshare Modified or Deleted

Detects when a EFS Fileshare is modified or deleted. You can't delete a file system that is in use. If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Austin SongerCreated Sun Aug 15Updated Sun Oct 0925cb1ba1-8a19-4a23-a198-d252664c8cefcloud

Log Source

AWScloudtrail

ProductAWS← raw: aws

Servicecloudtrail← raw: cloudtrail

Detection Logic

detection:
    selection:
        eventSource: elasticfilesystem.amazonaws.com
        eventName: DeleteFileSystem
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

docs.aws.amazon.com

MITRE ATT&CK

Tactics

TA0040 · Impact

Rule Metadata

Rule ID

25cb1ba1-8a19-4a23-a198-d252664c8cef

Status

test

Level

medium

Type

Detection

Created

Sun Aug 15

Modified

Sun Oct 09

Author

Austin Songer

Path

rules/cloud/aws/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml

Raw Tags

attack.impact

View on GitHub