...
| Expand | ||
|---|---|---|
| ||
Deletion of an IAM group is not a dangerous action by itself, but correlated with other events such as recently user or group creations could indicate a malicious behaviour. This alert filters DeleteGroup cloudtrail events that come from the IAM service. In addition, the errorCode has to be one of the following NoSuchEntityException, DeleteConflictException, AccessDenied. Source table → |
| Expand | ||
|---|---|---|
| ||
This detection filters by cloudtrail events with RemoveTags as eventName. Some tags were removed from the configuration of a logging trail. This event should be checked since it could indicate an attacker may be trying to hide suspicious activity within an AWS account. Source table → |
AWS CloudWatch alerts
| Expand | ||
|---|---|---|
| ||
This alert detects actions to get STS session tokens, which can be used to move laterally or escalate privileges in AWS. Source table → |
...