Document toolboxDocument toolbox

Alert Pack: AWS

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
2 min read
[ 1 Purpose ] [ 2 Prerequisites ] [ 3 Open alert pack ] [ 4 Use alert pack ]

Purpose

AWS is one of the biggest cloud providers in the world and will enable your organization to build, run and manage applications across multiple environments. This alert pack is a bundle of Devo’s Security Operations out-of-the-box detections that can help you obtain a quick coverage of alerts.

Security Operations application

SecOps users can obtain detailed information if they install these alerts using the Content Manager instead.

SecOpsAWSOpsWorksDescribePermissionsEvent

SecOpsAwsRoleCreated

SecOpsAwsSqsListQueues

SecOpsAwsUpdateSAMLProvider

SecOpsAWSIAMUserGeneratingAccessDeniedErrorsAcrossMultipleActions

SecOpsAWSPermissionsBoundaryModifiedToRole

SecOpsAWSSamlAccess

SecOpsAWSRootLogin

SecOpsLog4ShellVulnerabilityCloudAWS

SecOpsAWSPermissionsBoundaryLiftedtoUser

SecOpsAWSSecretsManagerSensitiveAdminActionObserved

SecOpsAwsKmsSensitiveActivity

SecOpsAWSMultipleFailedConsoleLoginsFromASourceIP

SecOpsAwsCloudTrailReconEvent

SecOpsAwsECRContainerScanningFindingsCritical

SecOpsAWSIAMPolicyAppliedToGroup

SecOpsAWSPublicS3BucketExposed

SecOpsAWSOpenNetworkACLs

SecOpsAWSLoggingConfigurationChangeObservedDeleteTrail

SecOpsAWSIAMPolicyAppliedToRole

SecOpsAWSLoggingConfigurationChangeObservedRemoveTags

SecOpsAwsECRContainerUploadOutsideBusinessHours

SecOpsAWSUserSuccessfulLoginWithoutMFA

SecOpsAwsS3EncryptWithKMSKey

SecOpsAWSDetectUsersCreatingKeysWithEncryptPolicyWithoutMFA

SecOpsAwsDbSnapshotCreated

SecOpsAWSExcessiveSecurityScanning

SecOpsAwsEc2KeyAction

SecOpsAWSLoggingConfigurationChangeObservedStopLogging

SecOpsAwsMasterKeyDisabledOrDeletion

SecOpsAWSIAMPolicyAppliedToUser

SecOpsAWSIAMDeletePolicy

SecOpsAWSCreatePolicyVersionToAllowAllResources

SecOpsAWSCreateaccesskey

SecOpsAWSIAMCreateUserActionObserved

SecOpsAWSNewUserPoolClientCreated

SecOpsAWSMultipleFailedConsoleLogins

SecOpsAWSNetworkAccessControlListDeleted

SecOpsAwsEcrImageUpload

SecOpsAWSPermissionsBoundaryModifiedToUser

SecOpsAWSPermissionsBoundaryLiftedtoRole

SecOpsAWSIamSuccessfulGroupDeletion

SecOpsAWSUpdateloginprofile

SecOpsAWSSetdefaultpolicyversion

SecOpsAwsPermanentKeyCreation

SecOpsAWSDetectStsAssumeRoleAbuse

SecOpsAwsStsPossibleSessionTokenAbuse

SecOpsAwsGetSecretFromNonAmazonIp

SecOpsAWSIAMAssumeRolePolicyBruteForce

SecOpsAwsKmsKeyDeletion

SecOpsAWSECRContainerScanningFindingsLowInformationalUnknown

Prerequisites

To use this alert pack, you must have the following data sources available in your domain:

Open alert pack

Once you have installed the alert pack, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find it and later manage it as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).

 

Use alert pack

The alerts in the alert pack are deactivated by default when the alert pack is installed. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.

 

 

 

 

 

Â