Versions Compared

Version Old Version 6 New Version 7
Changes made by

Former user

Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleSecOpsAwsS3EncryptWithKMSKey

Detects actions taken by users to encrypt S3 buckets using KMS keys.

Source table → cloud.aws.cloudtrail

Expand
titleSecOpsAWSDetectNewUserAWSConsoleLogin

This alert triggers when a user logs into the console for the first time in a year.

Source table → cloud.aws.cloudtrail

Expand
titleSecOpsAWSUserSuccessfulLoginWithoutMFA

An AWS console successfully without MFA login was detected. AWS security best practices are recommended to enable this security measure for console access login.

Source table → cloud.aws.cloudtrail

AWS CloudWatch alerts

Expand
titleAWS CloudWatch - AWS Detect STS Get Session Token Abuse

This alert detects actions to get STS session tokens, which can be used to move laterally or escalate privileges in AWS.

Source table → cloud.aws.cloudtrail 

...

Expand
titleAmazon VPC - Large File Upload

Detects possible large files being moved via AWS VPC logs.

Source table → vpc.aws.flow 

Expand
titleSecOpsAwsVpcLargeOutboundTrafficBlock

Actions observed as blocked for sending large amounts of data from AWS out to the internet.

Source table → vpc.aws.flow