AWS

This alert detects users that received the errorCode value AccessDenied when trying to perform different actions within a short period of time. This could indicate that a user is trying to enumerate their permissions in their AWS account.

This alert filters by events where the errorCode AccessDenied is present and groups every 5 minutes by user arn and aws account.

Source table → cloud.aws.cloudtrail 

A successful AWS console login without MFA was detected. AWS security best practices recommend enabling this security measure for console access login.

This alert filters CloudTrail events from signin.amazonaws.com with ConsoleLogin as eventName, a success response, and the MFA value not enabled.

Source table → cloud.aws.cloudtrail 

This alert detects when a UserPoolClient entity is created. These types of entities could be used by an attacker to perform unauthenticated API operations.

This alert filters CloudTrail events from cognito-idp.amazonaws.com with CreateUserPoolClient as eventName.

Source table → cloud.aws.cloudtrail 

Detects when a Customer Master Key (CMK) is disabled or scheduled for deletion.

Source table → cloud.aws.cloudtrail 

Creating DB snapshots is an efficient way for an attacker to begin downloading a target database. These signals should be considered around the context of other signals that may indicate data theft is in progress.

Source table → cloud.aws.cloudtrail 

This alert detects actions that create, import, and delete access keys to EC2.

Source table → cloud.aws.cloudtrail 

This alert detects action GetSecretValue for source IPs that do not belong to an Amazon instance IP space.

Source table → cloud.aws.cloudtrail 

This alert is triggered when a trail within the CloudTrail service is deleted. This event should be checked since it could indicate that an attacker is trying to hide suspicious activity within an AWS account.

This alert filters CloudTrail events with DeleteTrail as eventName.

Source table → cloud.office365.siem_agent_alert

A trail within the CloudTrail service has been stopped. This event should be checked since it could indicate that an attacker may be trying to hide suspicious activity within an AWS account.

This alert filters CloudTrail events with StopLogging as eventName.

Source table → cloud.aws.cloudtrail 

This alert is triggered when multiple failed login attempts from the same user are detected. This could indicate that an attacker is trying to brute-force access to that specific user account.

This alert filters CloudTrail events with ConsoleLogin as eventName, errorMessage equal to Failed authentication, and an unsuccessful response. Then, groups by eventName, requestParameters, userIdentity_arn, and userIdentity_accountId and triggers the alert when the count is bigger than 5.

Source table → cloud.aws.cloudtrail 

The DescribePermissions event retrieves the descriptions of permissions for a specified stack. This could be used by an attacker to collect information for further attacks.

This alert filters CloudTrail events from opsworks.amazonaws.com source with DescribePermissions as eventName.

Source table → cloud.aws.cloudtrail 

This alert is triggered when a permission boundary is lifted against an IAM role. This action could be used by an attacker to escalate privileges within an AWS account.

This alert filters by CloudTrail events from iam.amazonaws.com with DeleteRolePermissionsBoundary as eventName.

Source table → cloud.aws.cloudtrail 

This alert is triggered when a permission boundary is lifted against an IAM user. This action could be used by an attacker to escalate privileges within an AWS account.

This alert filters by CloudTrail events from iam.amazonaws.com with DeleteUserPermissionsBoundary as eventName.

Source table → cloud.aws.cloudtrail

Analytical detection of reconnaissance type behavior from AWS CloudTrail logs.

Source table → cloud.aws.cloudtrail

This alert detects rare ListQueues events from AWS SQS.

Source table → cloud.aws.cloudtrail

Detects scheduled deletion of KMS keys.

Source table → cloud.aws.cloudtrail

Network ACL was deleted, this could indicate that an attacker is downgrading security access of a network instance.

This detection filters CloudTrail events with DeleteNetworkAclEntry as eventName.

Source table → cloud.aws.cloudtrail

Scanning from an ECR container detected at least one high-risk finding.

This alert filters CoudTrail DescribeImageScanFindings events that come from the ECR service, then filters events that have the string HIGH within the response parameters.

Source table → cloud.aws.cloudtrail

Analytics detection about KMS key enable/disable actions.

Source table → cloud.aws.cloudtrail

Detects actions taken to create new IAM roles in AWS.

Source table → cloud.aws.cloudtrail

Suspicious use of AssumedRole. This type of token could be used by an attacker in order to perform privilege escalation or lateral movements.

This alert filters CloudTrail events with AssumedRole parameter equal to AssumedRole and userIdentity_sessionContext equal to Role.

Source table → cloud.aws.cloudtrail

Detects actions observed that create, import, and delete access keys to EC2.

Source table → cloud.aws.cloudtrail

Detects actions taken by users to encrypt S3 buckets using KMS keys.

Source table → cloud.aws.cloudtrail

The search looks for CloudTrail events to detect if any network ACLs were created with all the ports open to a specified CIDR.

Source table → cloud.aws.cloudtrail

This search provides specific information to detect abnormal access or potential credential hijack or forgery, especially in federated environments using SAML protocol inside the perimeter or cloud provider.

Source table → cloud.aws.cloudtrail

This alert triggers when at least one high risk is detected after scanning an ECR container.

This alert filters CoudTrail DescribeImageScanFindings events that come from the ECR service, then filters events that have the string HIGH in the response parameters.

Source table → cloud.aws.cloudtrail

This alert triggers when at least one low or informational risk is detected after scanning an ECR container.

This alert filters CoudTrail DescribeImageScanFindings events that come from the ECR service, then filters events that have the string LOW or INFORMATIONAL in the response parameters.

Source table → cloud.aws.cloudtrail

This alert triggers when at least one medium risk is detected after scanning an ECR container.

This alert filters CoudTrail DescribeImageScanFindings events that come from the ECR service, then filters events that have the string MEDIUM in the response parameters.

Source table → cloud.aws.cloudtrail

This alert is triggered when a new ECR container is uploaded outside normal business hours (weekend or between 20:00-8:00)

This alert filters CloudTrail PutImage events that come from the ECR service, then filters events using the eventdate parameter, triggering the alert when this value is between 20:00 and 08:00 hours or during weekends.

Source table → cloud.aws.cloudtrail

This alert is triggered when a new ECR container is uploaded by an unknown user. It is possible to include a list of users to not monitor in the SecOpsGWL lookup, using the ARN as a key.

This alert filters PutImage CloudTrail events that come from an ECR service. The alert triggers when the user performing the action is not registered in the SecOpsGWL lookup. Users must be registered in the lookup using the ARN as a key.

Source table → cloud.aws.cloudtrail

Detection of events with errorCode value MalformedPolicyDocumentException. This alert could indicate that someone is trying to identify a role name.

This alert filters CloudTrail events that come from the IAM service and have errorCode equal to MalformedPolicyDocumentException, then groups by common parameters and counts. The alert will trigger when the count is more than 1.

Source table → cloud.aws.cloudtrail

This alert lets you know that policy has been attached to a group. These kinds of events should be checked since they could be granting excessive access permissions to AWS services or resources.

This detection filters by CloudTrail events with PutGroupPolicy as eventName.

Source table → cloud.aws.cloudtrail

This alert lets you know that a policy has been attached to a role. These kinds of events should be checked since they could be granting excessive access permissions to AWS services or resources.

Source table → cloud.aws.cloudtrail

This alert lets you know that a UserPoolClient entity has been created. These types of entities could be used by an attacker to perform unauthenticated API operations.

Source table → cloud.aws.cloudtrail

This alert lets you know that an action to delete a policy was performed. This should be checked since it could undermine the security configuration of the AWS environment.

This alert filters DeletePolicy CloudTrail events that come from the IAM service and has request parameters attached to them.

Source table → cloud.aws.cloudtrail

Deleting an IAM group is not a dangerous action by itself, but correlated with other events such as recent user or group creations could indicate malicious behaviors.

This alert filters DeleteGroup CloudTrail events that come from the IAM service. In addition, the errorCode has to be null to avoid false positives and must have request parameters attached.

Source table → cloud.aws.cloudtrail

This alert detects AWS CloudTrail events where a user has set a default policy version. Attackers have been known to use this technique for Privilege Escalation in case the previous versions of the policy had permission to access more resources than the current version of the policy.

This alert filters SetDefaultPolicyVersion CloudTrail events that come from the IAM service. In addition, the errorCode has to be null to avoid false positives.

Source table → cloud.aws.cloudtrail

This alert detects when a user updates the login profile of a different user. This could indicate that a privilege escalation is being performed leveraging the user whose login profile has been updated.

This alert filters UpdateLoginProfile CloudTrail events that come from the IAM service. Two additional filters are applied: userAgent has to be equal to console.amazonaws.com in order to filter only actions performed through the console, and errorCode must be null to avoid false positives. Then, it groups and extracts the userName of the login profile being updated and triggers the alert if the user performing the action is not the same as the one extracted from the request parameters.

Source table → cloud.aws.cloudtrail

This alert detects users uploading new images to AWS Elastic Container Registry (ECR).

Source table → cloud.aws.cloudtrail

This alert detects actions to get STS session tokens, which can be used to move laterally or escalate privileges in AWS.

Source table → cloud.aws.cloudtrail

This alert detects actions that send large amounts of data from AWS out to the internet.

Source table → cloud.aws.cloudtrail

This alert detects successful root account logins. This account should only be used to create initial IAM users or perform tasks only available to the root user. Using this account is against AWS security best practices.

This detection filters CloudTrail events with ConsoleLogin as eventName and userName equal to root.

Source table → cloud.aws.cloudtrail

This alert detects when a new user is created. This should be checked since an attacker could have created this user to gain persistence on the AWS account.

This alert detects new logs whose eventName is CreateUser and its requestParameters are not null. This indicates that a new user was created in the corresponding AWS account.

Source table → cloud.aws.cloudtrail

This alert detects actions to get STS session tokens, which can be used to move laterally or escalate privileges in AWS.

Source table → cloud.aws.cloudtrail 

This alert detects actions that send large amounts of data from AWS out to the internet.

Source table → cloud.aws.cloudtrail 

Detects scanning of AWS infra via VPC logs.

Source table → vpc.aws.flow

Detects port scans on AWS infra from VPC logs.

Source table → vpc.aws.flow 

Detects possible large files being moved via AWS VPC logs.

Source table → vpc.aws.flow