AWS

This alert detects users that received the errorCode value AccessDenied when trying to perform different actions within a short period of time. This could indicate that a user is trying to enumerate their permissions in their AWS account.

This alert filters by events where the errorCode AccessDenied is present and groups every 5 minutes by user arn and aws account.

Source table → cloud.aws.cloudtrail 

A successful AWS console login without MFA was detected. AWS security best practices recommend enabling this security measure for console access login.

This alert filters CloudTrail events from signin.amazonaws.com with ConsoleLogin as eventName, a success response, and the MFA value not enabled.

Source table → cloud.aws.cloudtrail 

This alert detects when a UserPoolClient entity is created. These types of entities could be used by an attacker to perform unauthenticated API operations.

This alert filters CloudTrail events from cognito-idp.amazonaws.com with CreateUserPoolClient as eventName.

Source table → cloud.aws.cloudtrail 

Detects when a Customer Master Key (CMK) is disabled or scheduled for deletion.

Source table → cloud.aws.cloudtrail

Creating DB snapshots is an efficient way for an attacker to begin downloading a target database. These signals should be considered around the context of other signals that may indicate data theft is in progress.

Source table → cloud.aws.cloudtrail 

This alert detects actions that create, import, and delete access keys to EC2.

Source table → cloud.aws.cloudtrail 

This alert detects action GetSecretValue for source IPs that do not belong to an Amazon instance IP space.

Source table → cloud.aws.cloudtrail 

This alert is triggered when a trail within the CloudTrail service is deleted. This event should be checked since it could indicate that an attacker is trying to hide suspicious activity within an AWS account.

This alert filters CloudTrail events with DeleteTrail as eventName.

Source table → cloud.office365.siem_agent_alert

A trail within the CloudTrail service has been stopped. This event should be checked since it could indicate that an attacker may be trying to hide suspicious activity within an AWS account.

This alert filters CloudTrail events with StopLogging as eventName.

Source table → cloud.aws.cloudtrail 

This alert is triggered when multiple failed login attempts from the same user are detected. This could indicate that an attacker is trying to brute-force access to that specific user account.

This alert filters CloudTrail events with ConsoleLogin as eventName, errorMessage equal to Failed authentication, and an unsuccessful response. Then, groups by eventName, requestParameters, userIdentity_arn, and userIdentity_accountId and triggers the alert when the count is bigger than 5.

Source table → cloud.aws.cloudtrail 

The DescribePermissions event retrieves the descriptions of permissions for a specified stack. This could be used by an attacker to collect information for further attacks.

This alert filters CloudTrail events from opsworks.amazonaws.com source with DescribePermissions as eventName.

Source table → cloud.aws.cloudtrail 

This alert is triggered when a permission boundary is lifted against an IAM role. This action could be used by an attacker to escalate privileges within an AWS account.

This alert filters by CloudTrail events from iam.amazonaws.com with DeleteRolePermissionsBoundary as eventName.

Source table → cloud.aws.cloudtrail 

This alert is triggered when a permission boundary is lifted against an IAM user. This action could be used by an attacker to escalate privileges within an AWS account.

This alert filters by CloudTrail events from iam.amazonaws.com with DeleteUserPermissionsBoundary as eventName.

Source table → cloud.aws.cloudtrail

Analytical detection of reconnaissance type behavior from AWS CloudTrail logs.

Source table → cloud.aws.cloudtrail

This alert detects rare ListQueues events from AWS SQS.

Source table → cloud.aws.cloudtrail

Detects scheduled deletion of KMS keys.

Source table → cloud.aws.cloudtrail

Network ACL was deleted, this could indicate that an attacker is downgrading security access of a network instance.

This detection filters CloudTrail events with DeleteNetworkAclEntry as eventName.

Source table → cloud.aws.cloudtrail

Scanning from an ECR container detected at least one high-risk finding.

This alert filters CoudTrail DescribeImageScanFindings events that come from the ECR service, then filters events that have the string HIGH within the response parameters.

Source table → cloud.aws.cloudtrail

Analytics detection about KMS key enable/disable actions.

Source table → cloud.aws.cloudtrail

Detects actions taken to create new IAM roles in AWS.

Source table → cloud.aws.cloudtrail

Suspicious use of AssumedRole. This type of token could be used by an attacker in order to perform privilege escalation or lateral movements.

This alert filters CloudTrail events with AssumedRole parameter equal to AssumedRole and userIdentity_sessionContext equal to Role.

Source table → cloud.aws.cloudtrail

Detects actions observed that create, import, and delete access keys to EC2.

Source table → cloud.aws.cloudtrail

Detects actions taken by users to encrypt S3 buckets using KMS keys.

Source table → cloud.aws.cloudtrail

The search looks for CloudTrail events to detect if any network ACLs were created with all the ports open to a specified CIDR.

Source table → cloud.aws.cloudtrail

This search provides specific information to detect abnormal access or potential credential hijack or forgery, especially in federated environments using SAML protocol inside the perimeter or cloud provider.

Source table → cloud.aws.cloudtrail

This alert triggers when at least one high risk is detected after scanning an ECR container.

This alert filters CoudTrail DescribeImageScanFindings events that come from the ECR service, then filters events that have the string HIGH in the response parameters.

Source table → cloud.aws.cloudtrail

Scanning from an ECR container detected at least one LOW or UNDEFINED risk finding.

Source table → cloud.aws.cloudtrail

This alert triggers when at least one medium risk is detected after scanning an ECR container.

This alert filters CoudTrail DescribeImageScanFindings events that come from the ECR service, then filters events that have the string MEDIUM in the response parameters.

Source table → cloud.aws.cloudtrail

This alert is triggered when a new ECR container is uploaded outside normal business hours (weekend or between 20:00-8:00)

This alert filters CloudTrail PutImage events that come from the ECR service, then filters events using the eventdate parameter, triggering the alert when this value is between 20:00 and 08:00 hours or during weekends.

Source table → cloud.aws.cloudtrail

This alert is triggered when a new ECR container is uploaded by an unknown user. It is possible to include a list of users to not monitor in the SecOpsGWL lookup, using the ARN as a key.

This alert filters PutImage CloudTrail events that come from an ECR service. The alert triggers when the user performing the action is not registered in the SecOpsGWL lookup. Users must be registered in the lookup using the ARN as a key.

Source table → cloud.aws.cloudtrail

Detection of events with errorCode value MalformedPolicyDocumentException. This alert could indicate that someone is trying to identify a role name.

This alert filters CloudTrail events that come from the IAM service and have errorCode equal to MalformedPolicyDocumentException, then groups by common parameters and counts. The alert will trigger when the count is more than 1.

Source table → cloud.aws.cloudtrail

This alert lets you know that policy has been attached to a group. These kinds of events should be checked since they could be granting excessive access permissions to AWS services or resources.

This detection filters by CloudTrail events with PutGroupPolicy as eventName.

Source table → cloud.aws.cloudtrail

This alert lets you know that a policy has been attached to a role. These kinds of events should be checked since they could be granting excessive access permissions to AWS services or resources.

Source table → cloud.aws.cloudtrail

This alert lets you know that a UserPoolClient entity has been created. These types of entities could be used by an attacker to perform unauthenticated API operations.

Source table → cloud.aws.cloudtrail

This alert lets you know that an action to delete a policy was performed. This should be checked since it could undermine the security configuration of the AWS environment.

This alert filters DeletePolicy CloudTrail events that come from the IAM service and has request parameters attached to them.

Source table → cloud.aws.cloudtrail

Deleting an IAM group is not a dangerous action by itself, but correlated with other events such as recent user or group creations could indicate malicious behaviors.

This alert filters DeleteGroup CloudTrail events that come from the IAM service. In addition, the errorCode has to be null to avoid false positives and must have request parameters attached.

Source table → cloud.aws.cloudtrail

This alert detects AWS CloudTrail events where a user has set a default policy version. Attackers have been known to use this technique for Privilege Escalation in case the previous versions of the policy had permission to access more resources than the current version of the policy.

This alert filters SetDefaultPolicyVersion CloudTrail events that come from the IAM service. In addition, the errorCode has to be null to avoid false positives.

Source table → cloud.aws.cloudtrail

This alert detects when a user updates the login profile of a different user. This could indicate that a privilege escalation is being performed leveraging the user whose login profile has been updated.

This alert filters UpdateLoginProfile CloudTrail events that come from the IAM service. Two additional filters are applied: userAgent has to be equal to console.amazonaws.com in order to filter only actions performed through the console, and errorCode must be null to avoid false positives. Then, it groups and extracts the userName of the login profile being updated and triggers the alert if the user performing the action is not the same as the one extracted from the request parameters.

Source table → cloud.aws.cloudtrail

This alert detects users uploading new images to AWS Elastic Container Registry (ECR).

Source table → cloud.aws.cloudtrail

This alert detects actions to get STS session tokens, which can be used to move laterally or escalate privileges in AWS.

Source table → cloud.aws.cloudtrail

This alert detects actions that send large amounts of data from AWS out to the internet.

Source table → cloud.aws.cloudtrail

This alert detects successful root account logins. This account should only be used to create initial IAM users or perform tasks only available to the root user. Using this account is against AWS security best practices.

This detection filters CloudTrail events with ConsoleLogin as eventName and userName equal to root.

Source table → cloud.aws.cloudtrail

This alert detects when a new user is created. This should be checked since an attacker could have created this user to gain persistence on the AWS account.

This alert detects new logs whose eventName is CreateUser and its requestParameters are not null. This indicates that a new user was created in the corresponding AWS account.

Source table → cloud.aws.cloudtrail

Multiple failed login attempts from the same user were detected. This could indicate an attacker could be trying to access that specific user account by brute force.

This detection filters by CloudTrail events with ConsoleLogin as eventName, errorMessage equal to failed authentication and a non-success response. It then groups by eventName, requestParameters, userIdentity_arn and userIdentity_accountId and triggers the alert when the count is greater than five.

Source table → cloud.aws.cloudtrail

A request to set a new ACL to a bucket and to make it public has been detected. Although this could be a legitimate action, It should be reviewed.

This alert filters PutBucketAcl CloudTrail events that come from the S3 service. It then extracts each pair of URI and Permission from the raw event message and checks if the URI is equal to http://acs.amazonaws.com/groups/global/AllUsers or http://acs.amazonaws.com/groups/global/AuthenticatedUsers and the permission is READ, READ_ACP, WRITE, WRITE_ACP or FULL_CONTROL. The alert will trigger if any of the pairs checked meet both requirements. This alert will only extract the first five permissions and URIs of a message.

Source table → cloud.aws.cloudtrail

This detection filters by CloudTrail events with RemoveTags as eventName.

Some tags were removed from the configuration of a logging trail. This event should be checked since it could indicate an attacker may be trying to hide suspicious activity within an AWS account.

Source table → cloud.aws.cloudtrail

This search looks for AWS CloudTrail events where a user created a policy version that allows them to access any resource in their account.

Source table → cloud.aws.cloudtrail

This search looks for AWS CloudTrail events where a user who already has permission to create access keys, makes an API call to create access keys for another user.

Source table → cloud.aws.cloudtrail

A large number of actions performed which start with Describe have been performed by a single user. This could indicate this user is trying to enumerate the AWS account.

This alert filters CloudTrail events in which eventName starts with one of the following strings: Describe, Get or List. It groups by IP address, account and source name. Then it collects a list of the diferent event names included in each entry and triggers the alert if the list is greater than 50. 

Source table → cloud.aws.cloudtrail

Creation of a KMS key with action kms:Encrypt is available for everyone. This could be a compromised account indicator.

This alert filters CreateKey and PutKeyPolicy CloudTrail events that come from the KMS service. It then parses the diferent principals and actions from the requestParameters (the alert will consider only the first five principals and actions, the following will be disregarded). The alert triggers when one of the pairs meets the following criteria:

• The action contains the string kms:* or kms:Encrypt

• The principal contains the string AWS:*

Source table → cloud.aws.cloudtrail

Scanning from an ECR container detected at least one critical risk finding.

This alert filters cloudtrail DescribeImageScanFindings events that come from the ECR service then filter events that have the string CRITICAL within the response parameters.

Source table → cloud.aws.cloudtrail

Detects users uploading new images to AWS Elastic Container Registry (ECR).

Source table → cloud.aws.cloudtrail

Detects actions taken by users to encrypt S3 buckets using KMS keys.

Source table → cloud.aws.cloudtrail

This alert triggers when a user logs into the console for the first time in a year.

Source table → cloud.aws.cloudtrail

An AWS console successfully without MFA login was detected. AWS security best practices are recommended to enable this security measure for console access login.

Source table → cloud.aws.cloudtrail

This search looks for AWS CloudTrail events where a user, who already has permission to create access keys, makes an API call to create access keys for a second user.

Source table → cloud.aws.cloudtrail

A successful root account login was detected. This account should only be used to create initial IAM users or perform tasks only available to the root user. Using this account is against AWS security best practices.

This detection filters by cloudtrail events with ConsoleLogin as eventName and userName equal to root.

Source table → cloud.aws.cloudtrail

Detects if a login has been performed by a user which has been created in the last 24 hours and checks if the user creation and the login has been performed from the same IP. This behaviour could indicate a privilege escalation attempt.

This alert filters ConsoleLogin cloudtrail events that come from the signing service. The uses a subquery in order to check login profile creations during the 24 hours prior to the login using the IP in order to correlate events.

Source table → cloud.aws.cloudtrail

A request to set a new ACL to a bucket to make it public via CLI has been detected. Although this could be a legitimate action, it should be reviewed.

This alert filters PutBucketAcl cloudtrail events that come from the S3 service. In addition it filters messages without errorMessage to avoid false positives and that the user agent contains aws-cli to filter only command line interface events.

Source table → cloud.aws.cloudtrail

Deletion of an IAM group is not a dangerous action by itself, but correlated with other events such as recently user or group creations could indicate a malicious behaviour.

This alert filters DeleteGroup cloudtrail events that come from the IAM service. In addition, the errorCode has to be one of the following NoSuchEntityException, DeleteConflictException, AccessDenied.

Source table → cloud.aws.cloudtrail

This detection filters by cloudtrail events with RemoveTags as eventName.

Some tags were removed from the configuration of a logging trail. This event should be checked since it could indicate an attacker may be trying to hide suspicious activity within an AWS account.

Source table → cloud.aws.cloudtrail

A Permission Boundary has been modified on a role. This could allow to grant all the actions in the permissions of the policies attached to that role.

This alert filters cloudtrail PutRolePermissionsBoundary events.

Source table → cloud.aws.cloudtrail

A Permission Boundary has been modified for a role. This could allow granting all the actions in the permissions of the policies attached to that role.

This alert filters cloudtrail PutRolePermissionsBoundary events with null error messages to avoid false positives.

Source table → cloud.aws.cloudtrail

This alert checks for the CVE-2021-44228 exploit (Log4shell). The query looks for payload patterns associated with Log4shell including payloads in the url, user-agent header, referer header, or POST and PUT HTTP bodies.

Alert that checks attempts to exploit CVE-2021-44228 known as Log4shell. The query looks for payload patterns associated with this vulnerability on the log raw message. This would include payloads included in the url, user-agent header, referrer header, or POST and PUT HTTP bodies.

Source table → cloud.aws.cloudtrail

Detects any actions observed that create, import, or delete access keys to EC2.

Source table → cloud.aws.cloudtrail

Detects the scheduled deletion of KMS keys.

Source table → cloud.aws.cloudtrail

Detects AWS API activity by users who are not explicitly authorized from an allow list.

Detection of unapproved users interacting with the AWS API can prevent, abuse, fraud, and other malicious operations from being executed.

Source table → cloud.aws.cloudtrail

Detects actions that update SAML the provider configuration

Source table → cloud.aws.cloudtrail

This alert detects actions to get STS session tokens, which can be used to move laterally or escalate privileges in AWS.

Source table → cloud.aws.cloudtrail 

This alert detects actions that send large amounts of data from AWS out to the internet.

Source table → cloud.aws.cloudtrail 

Detects scanning of AWS infra via VPC logs.

Source table → vpc.aws.flow

Detects port scans on AWS infra from VPC logs.

Source table → vpc.aws.flow 

Detects possible large files being moved via AWS VPC logs.

Source table → vpc.aws.flow 

Actions observed as blocked for sending large amounts of data from AWS out to the internet.

Source table → vpc.aws.flow