...
| Expand | ||
|---|---|---|
| ||
Detects if a login has been performed by a user which has been created in the last 24 hours and checks if the user creation and the login has been performed from the same IP. This behaviour could indicate a privilege escalation attempt. This alert filters ConsoleLogin cloudtrail events that come from the signing service. The uses a subquery in order to check login profile creations during the 24 hours prior to the login using the IP in order to correlate events. Source table → |
| Expand | ||
|---|---|---|
| ||
A request to set a new ACL to a bucket to make it public via CLI has been detected. Although this could be a legitimate action, it should be reviewed. This alert filters PutBucketAcl cloudtrail events that come from the S3 service. In addition it filters messages without errorMessage to avoid false positives and that the user agent contains aws-cli to filter only command line interface events. Source table → |
AWS CloudWatch alerts
| Expand | ||
|---|---|---|
| ||
This alert detects actions to get STS session tokens, which can be used to move laterally or escalate privileges in AWS. Source table → |
...