AWS

The DescribePermissions event retrieves a description about permissions for a specified stack. This could be used by an attacker to collect information for further attacks.

Source table → cloud.aws.cloudtrail

Detects actions that update SAML the provider configuration

Source table → cloud.aws.cloudtrail

This search provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider

Source table → cloud.aws.cloudtrail

It was detected that a permission boundary has been lifted against an IAM user. This action could be used by an attacker to escalate privileges within an AWS account.

Source table → cloud.aws.cloudtrail

The Describe permissions event retrieves a description of permissions for a specified stack. This could be used by an attacker to collect information for further attacks.

Source table → cloud.aws.cloudtrail

It was detected that a policy had been attached to a group. These kinds of events should be checked since they could be granting excessive access permissions to AWS services or resources.

Source table → cloud.aws.cloudtrail

A trail within the Cloudtrail service has been deleted. This event should be checked since it could indicate that an attacker may be trying to hide suspicious activity within an AWS account.

Source table → cloud.aws.cloudtrail

Upload of a new ECR container was performed outside normal business hours. This is during weekend or between 20:00 and 8:00

Source table → cloud.aws.cloudtrail

Creation of a KMS key with action kms:Encrypt is available for everyone. This could be a compromised account indicator.

Source table → cloud.aws.cloudtrail

Detects any actions observed that create, import, or delete access keys to EC2.

Source table → cloud.aws.cloudtrail

This search looks for Collective Defense matches in AWS data.

Source table → cloud.aws.cloudtrail

Detects if a login has been performed by a user which has been created in the last 24 hours and checks if the user creation and the login has been performed from the same IP. This behaviour could indicate a privilege escalation attempt.

Source table → cloud.aws.cloudtrail

It was detected that a policy has been attached to a role, these kind of events should be checked since they could be granting excessive access permissions to AWS services or resources.

Source table → cloud.aws.cloudtrail

Actions observed as blocked for sending large amounts of data from AWS out to the internet.

Source table → vpc.aws.flow

This search looks for AWS CloudTrail events where a user, who already has permission to create access keys, makes an API call to create access keys for a second user.

Source table → cloud.aws.cloudtrail

Multiple failed login attempts from the same user were detected. This could indicate an attacker could be trying to brute force access to that specific user account.

Source table → cloud.aws.cloudtrail

Detects possible large file being moved via AWS VPC logs.

Source table → vpc.aws.flow

A Permission Boundary has been modified for a role. This could allow granting all the actions in the permissions of the policies attached to that role.

Source table → cloud.aws.cloudtrail

A user has updated the login profile of a different user. This could indicate that a privilege escalation is being performed leveraging the user which login profile has been updated.

Source table → cloud.aws.cloudtrail

Suspicious use of "AssumedRole". This type of tokens could be used by an attacker in order perform privilege escalation or lateral movements.

Source table → cloud.aws.cloudtrail

Detection of events with errorCode "MalformedPolicyDocumentException". A malformed policy document exception occurs in instances where roles are attempted to be assumed, or brute forced.

Source table → cloud.aws.cloudtrail

Detects actions taken to create new IAM roles in AWS

Source table → cloud.aws.cloudtrail

This alert checks filters by events where the errorCode AccessDenied is present and groups each 5 minutes by user arn and aws account.

Source table → cloud.aws.cloudtrail

A successful root account login was detected. This account should only be used to create initial IAM users or perform tasks only available to the root user. Using this account is against AWS security best practices.

Source table → cloud.aws.cloudtrail

Any modification action performed against the AWS Secrets Administrative service should be reviewd. This could be an indicator of suspicious activity being carried out by a hostile entity.

Source table → cloud.aws.cloudtrail

Analytical detection of a reconnaissance type behavior from AWS CloudTrail logs.

Source table → cloud.aws.cloudtrail

This alert filters PutBucketAcl cloudtrail events that come from the S3 service. The alert then extracts each URI and Permission pair from the raw event message. The alert then checks if the URI is equal to http://acs.amazonaws.com/groups/global/AllUsers or http://acs.amazonaws.com/groups/global/AuthenticatedUsers and if the permission is READ, READ_ACP, WRITE, WRITE_ACP, or FULL_CONTROL. The alert will trigger if any of these pairs meet both criteria. This alert will only extract the first five permissions and URIs of a message.

Source table → cloud.aws.cloudtrail

It was detected that a policy has been attached to a role, these kind of events should be checked since they could be granting excessive access permissions to AWS services or resources.

Source table → cloud.aws.cloudtrail

An AWS console successfully without MFA login was detected. AWS security best practices are recommended to enable this security measure for console access login.

Source table → cloud.aws.cloudtrail

Creating a snapshot is a common technique utilized by malicious actors to download databases in a stealthy manner. This alert should be considered when other signals could indicate that an account has been compromised.

Source table → cloud.aws.cloudtrail

A trail within the Cloudtrail service has been stopped. This event should be checked since it could indicate that an attacker may be trying to hide suspicious activity within an AWS account.

Source table → cloud.aws.cloudtrail

An action to delete a policy was performed. This should be checked since it could undermine the security configuration of the AWS environment.

Source table → cloud.aws.cloudtrail

A new user was created. This actions should be checked since an attacker could have created this user to gain persistence on the AWS account.

Source table → cloud.aws.cloudtrail

Network ACl was deleted, this could indicate that an attacker is downgrading security access of a network instance

Source table → cloud.aws.cloudtrail

It was detected that a permission boundary has been lifted against an IAM role. This action could be used by an attacker to escalate privileges within an AWS account.

Source table → cloud.aws.cloudtrail

This alert filters SetDefaultPolicyVersion cloudtrail events that come from the IAM service. In addition, the errorCode has to be equal to null to avoid false positives.

Source table → cloud.aws.cloudtrail

Detects AWS API activity by users who are not explicitly authorized from an allow list.

Source table → cloud.aws.cloudtrail

Detects STS session tokens, which can be used to move laterally, or escalate, privileges in AWS.

Source table → cloud.aws.cloudtrail

Detects the scheduled deletion of KMS keys.

Source table → cloud.aws.cloudtrail

Detects rare ListQueues event from AWS SQS.

Source table → cloud.aws.cloudtrail

A Permission Boundary has been modified on a role. This could allow to grant all the actions in the permissions of the policies attached to that role.

Source table → cloud.aws.cloudtrail

This alert checks for the CVE-2021-44228 exploit (Log4shell). The query looks for payload patterns associated with Log4shell including payloads in the url, user-agent header, referer header, or POST and PUT HTTP bodies.

Source table → cloud.aws.cloudtrail

Analytics detection about KMS key enable or disable actions.

Source table → cloud.aws.cloudtrail

Scanning from an ECR container detected at least one critical risk finding.

Source table → cloud.aws.cloudtrail

The search looks for CloudTrail events to detect if any network ACLs were created with all the ports open to a specified CIDR.

Source table → cloud.aws.cloudtrail

This detection filters by cloudtrail events with RemoveTags as eventName.

Source table → cloud.aws.cloudtrail

Detects actions taken by users to encrypt S3 buckets using KMS keys.

Source table → cloud.aws.cloudtrail

A large number of actions performed which start with Describe have been performed by a single user. This could indicate this user is trying to enumerate the AWS account.

Source table → cloud.aws.cloudtrail

Detects when a Customer Master Key (CMK) was disabled or scheduled for deletion.

Source table → cloud.aws.cloudtrail

This search looks for AWS CloudTrail events where a user has created a policy version that allows the user to access any resource in their account.

Source table → cloud.aws.cloudtrail

It was detected that a UserPoolClient entity has been created. These type of entities could be used by an attacker to perform unauthenticated API operations.

Source table → cloud.aws.cloudtrail

Detects users uploading new images to AWS Elastic Container Registry (ECR).

Source table → cloud.aws.cloudtrail

Deletion of an IAM group is not a dangerous action by itself, but correlated with other events such as recently user or group creations could indicate that a malicious behaviour.

Source table → cloud.aws.cloudtrail

Detects actions observed that create, import and delete access keys to EC2.

Source table → cloud.aws.cloudtrail

Detects a GetSecretValue action where the source IP does not belong in an Amazon instance IP space.

Source table → cloud.aws.cloudtrail

Scanning from an ECR container detected at least one LOW or UNDEFINED risk finding.

Source table → cloud.aws.cloudtrail