Page Comparison

The DescribePermissions event retrieves the descriptions of permissions for a specified stack. This could be used by an attacker to collect information for further attacks.

This alert filters CloudTrail events from opsworks.amazonaws.com source with DescribePermissions as eventName.

Source table → cloud.aws.cloudtrail 

This alert is triggered when a permission boundary is lifted against an IAM role. This action could be used by an attacker to escalate privileges within an AWS account.

This alert filters by CloudTrail events from iam.amazonaws.com with DeleteRolePermissionsBoundary as eventName.

Source table → cloud.aws.cloudtrail 

This alert is triggered when a permission boundary is lifted against an IAM user. This action could be used by an attacker to escalate privileges within an AWS account.

This alert filters by CloudTrail events from iam.amazonaws.com with DeleteUserPermissionsBoundary as eventName.Source table → cloud.aws.cloudtrail

Suspicious use of AssumedRole. This type of token could be used by an attacker in order to perform privilege escalation or lateral movements.

This alert filters CloudTrail events with AssumedRole parameter equal to AssumedRole and userIdentity_sessionContext equal to Role.

Source table → cloud.aws.cloudtrail

Detects actions observed that create, import, and delete access keys to EC2.

Source table → cloud.aws.cloudtrail

Detects actions taken by users to encrypt S3 buckets using KMS keys.

Source table → cloud.aws.cloudtrail

The search looks for CloudTrail events to detect if any network ACLs were created with all the ports open to a specified CIDR.

Source table → cloud.aws.cloudtrail

This search provides specific information to detect abnormal access or potential credential hijack or forgery, especially in federated environments using SAML protocol inside the perimeter or cloud provider.

Source table → cloud.aws.cloudtrail

This alert triggers when at least one high risk is detected after scanning an ECR container.

This alert filters CoudTrail DescribeImageScanFindings events that come from the ECR service, then filters events that have the string HIGH in the response parameters.

Source table → cloud.aws.cloudtrail

Scanning from an ECR container detected at least one LOW or UNDEFINED risk finding.

Source table → cloud.aws.cloudtrail

This alert triggers when at least one medium risk is detected after scanning an ECR container.

This alert filters CoudTrail DescribeImageScanFindings events that come from the ECR service, then filters events that have the string MEDIUM in the response parameters.

Source table → cloud.aws.cloudtrail

This alert is triggered when a new ECR container is uploaded outside normal business hours (weekend or between 20:00-8:00)

This alert filters CloudTrail PutImage events that come from the ECR service, then filters events using the eventdate parameter, triggering the alert when this value is between 20:00 and 08:00 hours or during weekends.

Source table → cloud.aws.cloudtrail

This alert is triggered when a new ECR container is uploaded by an unknown user. It is possible to include a list of users to not monitor in the SecOpsGWL lookup, using the ARN as a key.

This alert filters PutImage CloudTrail events that come from an ECR service. The alert triggers when the user performing the action is not registered in the SecOpsGWL lookup. Users must be registered in the lookup using the ARN as a key.

Source table → cloud.aws.cloudtrail

Detection of events with errorCode value MalformedPolicyDocumentException. This alert could indicate that someone is trying to identify a role name.

This alert filters CloudTrail events that come from the IAM service and have errorCode equal to MalformedPolicyDocumentException, then groups by common parameters and counts. The alert will trigger when the count is more than 1.

Source table → cloud.aws.cloudtrail

This alert lets you know that policy has been attached to a group. These kinds of events should be checked since they could be granting excessive access permissions to AWS services or resources.

This detection filters by CloudTrail events with PutGroupPolicy as eventName.

Source table → cloud.aws.cloudtrail

This alert lets you know that a policy has been attached to a role. These kinds of events should be checked since they could be granting excessive access permissions to AWS services or resources.

Source table → cloud.aws.cloudtrail

This alert lets you know that a UserPoolClient entity has been created. These types of entities could be used by an attacker to perform unauthenticated API operations.

Source table → cloud.aws.cloudtrail

This alert lets you know that an action to delete a policy was performed. This should be checked since it could undermine the security configuration of the AWS environment.

This alert filters DeletePolicy CloudTrail events that come from the IAM service and has request parameters attached to them.

Source table → cloud.aws.cloudtrail

Deleting an IAM group is not a dangerous action by itself, but correlated with other events such as recent user or group creations could indicate malicious behaviors.

This alert filters DeleteGroup CloudTrail events that come from the IAM service. In addition, the errorCode has to be null to avoid false positives and must have request parameters attached.

Source table → cloud.aws.cloudtrail

This alert detects AWS CloudTrail events where a user has set a default policy version. Attackers have been known to use this technique for Privilege Escalation in case the previous versions of the policy had permission to access more resources than the current version of the policy.

This alert filters SetDefaultPolicyVersion CloudTrail events that come from the IAM service. In addition, the errorCode has to be null to avoid false positives.

Source table → cloud.aws.cloudtrail

This alert detects when a user updates the login profile of a different user. This could indicate that a privilege escalation is being performed leveraging the user whose login profile has been updated.

This alert filters UpdateLoginProfile CloudTrail events that come from the IAM service. Two additional filters are applied: userAgent has to be equal to console.amazonaws.com in order to filter only actions performed through the console, and errorCode must be null to avoid false positives. Then, it groups and extracts the userName of the login profile being updated and triggers the alert if the user performing the action is not the same as the one extracted from the request parameters.

Source table → cloud.aws.cloudtrail

This alert detects users uploading new images to AWS Elastic Container Registry (ECR).

Source table → cloud.aws.cloudtrail

This alert detects actions to get STS session tokens, which can be used to move laterally or escalate privileges in AWS.

Source table → cloud.aws.cloudtrail

This alert detects actions that send large amounts of data from AWS out to the internet.

Source table → cloud.aws.cloudtrail

This alert detects successful root account logins. This account should only be used to create initial IAM users or perform tasks only available to the root user. Using this account is against AWS security best practices.

This detection filters CloudTrail events with ConsoleLogin as eventName and userName equal to root.

Source table → cloud.aws.cloudtrail

This alert detects when a new user is created. This should be checked since an attacker could have created this user to gain persistence on the AWS account.

This alert detects new logs whose eventName is CreateUser and its requestParameters are not null. This indicates that a new user was created in the corresponding AWS account.

Source table → cloud.aws.cloudtrail

Multiple failed login attempts from the same user were detected. This could indicate an attacker could be trying to access that specific user account by brute force.

This detection filters by CloudTrail events with ConsoleLogin as eventName, errorMessage equal to failed authentication and a non-success response. It then groups by eventName, requestParameters, userIdentity_arn and userIdentity_accountId and triggers the alert when the count is greater than five.

Source table → cloud.aws.cloudtrail

A request to set a new ACL to a bucket and to make it public has been detected. Although this could be a legitimate action, It should be reviewed.

This alert filters PutBucketAcl CloudTrail events that come from the S3 service. It then extracts each pair of URI and Permission from the raw event message and checks if the URI is equal to http://acs.amazonaws.com/groups/global/AllUsers or http://acs.amazonaws.com/groups/global/AuthenticatedUsers and the permission is READ, READ_ACP, WRITE, WRITE_ACP or FULL_CONTROL. The alert will trigger if any of the pairs checked meet both requirements. This alert will only extract the first five permissions and URIs of a message.

Source table → cloud.aws.cloudtrail

This detection filters by CloudTrail events with RemoveTags as eventName.

Some tags were removed from the configuration of a logging trail. This event should be checked since it could indicate an attacker may be trying to hide suspicious activity within an AWS account.

Source table → cloud.aws.cloudtrail

This search looks for AWS CloudTrail events where a user created a policy version that allows them to access any resource in their account.

Source table → cloud.aws.cloudtrail

This search looks for AWS CloudTrail events where a user who already has permission to create access keys, makes an API call to create access keys for another user.

Source table → cloud.aws.cloudtrail

A large number of actions performed which start with Describe have been performed by a single user. This could indicate this user is trying to enumerate the AWS account.

This alert filters CloudTrail events in which eventName starts with one of the following strings: Describe, Get or List. It groups by IP address, account and source name. Then it collects a list of the diferent event names included in each entry and triggers the alert if the list is greater than 50. 

Source table → cloud.aws.cloudtrail