Versions Compared

Version Old Version 14 New Version 15
Changes made by

Former user

Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleSecOpsAWSPermissionsBoundaryModifiedToUser

A Permission Boundary has been modified for a role. This could allow granting all the actions in the permissions of the policies attached to that role.

This alert filters cloudtrail PutRolePermissionsBoundary events with null error messages to avoid false positives.

Source table → cloud.aws.cloudtrail

Expand
titleSecOpsLog4ShellVulnerabilityCloudAWS

This alert checks for the CVE-2021-44228 exploit (Log4shell). The query looks for payload patterns associated with Log4shell including payloads in the url, user-agent header, referer header, or POST and PUT HTTP bodies.

Alert that checks attempts to exploit CVE-2021-44228 known as Log4shell. The query looks for payload patterns associated with this vulnerability on the log raw message. This would include payloads included in the url, user-agent header, referrer header, or POST and PUT HTTP bodies.

Source table → cloud.aws.cloudtrail

AWS CloudWatch alerts

Expand
titleAWS CloudWatch - AWS Detect STS Get Session Token Abuse

This alert detects actions to get STS session tokens, which can be used to move laterally or escalate privileges in AWS.

Source table → cloud.aws.cloudtrail 

...