Release 1 - Out-of-the-box alerts
- Anthony Shevlin (Deactivated)
The SciSec Threat Research team has delivered its first release of AWS detections to the Security Operations application on top of the Devo platform. The detections are delivered through the Security Operations Content Stream and are installed through the Content Manager within Security Operations application.  The new detections are designed to help our customers with cloud security monitoring.Â
Cloud security monitoring is a top strategic priority for many CISOs. Moving workloads to the cloud presents a number of challenges for Security Organizations:
Managing complex hybrid environments - Centralizing information across cloud and on-premise infrastructure can be difficult to do at scale.  Â
Monitoring user access & privilege - Authentication and access control have lower levels for cloud infrastructure and applications compared to internal IT systems.Â
Lack of visibility - As your organization's network perimeter expands to include the cloud, the ability to monitor and control data is reduced.Â
Amazon Web Services is one of the largest cloud providers out there and as such requires organizations to protect themselves with cloud security monitoring. SciSec’s first release contains dozens of AWS detections so your organization can monitor your AWS infrastructure, look for areas of risk, or help respond to threats as they emerge. The detections are for AWS products and services Cloudtrail, Cloudwatch, and VPC.  Â
The specific AWS cloud security monitoring use cases delivered as part of SciSec’s first release can be seen below. Each row represents one or more detections focused on the stated name and description. Â
Detection name | Detection description | Devo table/Data source/Category |
AWS CloudTrail Network Access Control List Deleted | Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. | cloud.aws.cloudtrail |
AWS CloudTrail - IAM Policy Applied (Group, Role, User) | A policy was attached to a user, group, or role. By default, IAM denies all access to all services for users, and policies must be applied to grant access to AWS services and resources. This signal could indicate a policy is granting additional access within your cloud environment. | cloud.aws.cloudtrail |
AWS CloudTrail - Public S3 Bucket Exposed | An AWS request occurred to either create a new public bucket or to add a bucket access control list (ACL) to an existing bucket to make it public. While there are some use cases for AWS S3 public buckets, most are generally private. The security operations center should have a strong understanding of which buckets are allowed to be public. | cloud.aws.cloudtrail |
AWS CloudTrail - Root Console Successful Login Observed | This signal detects when a successful root account login occurred within an AWS account. This privileged account should seldomly be used within an AWS cloud environment. Amazon's best practices state you should only use the root account to create the initial local IAM users and assigned one of the accounts administrative privileges or to perform rare tasks only available to the root user. The security operations center should be aware when the AWS root account is accessed. | cloud.aws.cloudtrail |
AWS CloudTrail - IAM CreateUser Action Observed | Username affected: '{{changeTarget}}'. This signal fires for all observances of the CreateUser action in the IAM event source. Creating AWS users is likely a benign, infrequent activity. Hostile actors will create users to persist access. Use this signal in context of other activity to determine intent. | cloud.aws.cloudtrail |
AWS CloudTrail - IAM User Generating AccessDenied Errors Across Multiple Actions | An IAM account sent multiple requests to perform a wide distinct number of AWS actions in a short time frame while receiving the error code AccessDenied. This could indicate an account attempting to enumerate their access across the AWS account. | cloud.aws.cloudtrail |
AWS - New UserPoolClient Created | UserPoolClient {{application}} has been created in AWS. A UserPoolClient is an entity that has permission to call unauthenticated API operations (operations that do not have an authenticated user). | cloud.aws.cloudtrail |
AWS CloudTrail - Customer Master Key Disabled or Scheduled for Deletion | Devo Alert Name | cloud.aws.cloudtrail |
AWS CloudTrail - Database Snapshot Created | Creating DB snapshots is an efficient way for an attacker to begin downloading a targets database. These signals should be considered around the context of other signals that may indicate data theft is in progress. | cloud.aws.cloudtrail |
AWS CloudTrail - EC2 Access Key Action Detected | Actions observed that create, import and delete access keys to EC2 could indicate an advisary is taking action on their objective to extend or otherwise manipulate access to EC2 instance(s). | cloud.aws.cloudtrail |
AWS CloudTrail - GetSecretValue from non Amazon IP | The secrets manager service is commonly used by cloud components to retrieve secrets (connection strings etc) while performing routine functions. This signal identifies when secret values are retrieved via the GetSecretValue API call and the source host does not belong in an Amazon instance IP space. | cloud.aws.cloudtrail |
AWS CloudTrail - Logging Configuration Change Observed | Changing the configuration of logging to any mission-critical service or platform should be closely monitored. This signal identifies when AWS logging configurations have been changed. The severity of signals increases depending on the type of action observed. For instance disabling/deleting logs is a higher severity than enabling logs. | cloud.aws.cloudtrail |
AWS CloudTrail - Multiple Failed Console Logins From an Source IP | Multiple failed logins were detected from the same source IP address within a short period of time. It is important to note that AWS CloudTrail does not log failed authentications for the root account user. | cloud.aws.cloudtrail |
AWS CloudTrail - OpsWorks Describe Permissions Event | This event sourced from AWS OpsWorks occurrs rarely. It could indicate that an adversary is attempting to collect information for later attack. When successful, the Describe Permissions event returns information regarding a specified stack's permissions for access. | cloud.aws.cloudtrail |
AWS CloudTrail - Permissions Boundary Lifted | Username affected: '{{changeTarget}}'. A Permissions Boundary was lifted against an IAM User or Role. This unusual action may increase the effect permissions to the asset by allowing all the actions granted in its permissions policies. | cloud.aws.cloudtrail |
AWS CloudTrail - Reconnaissance related event | This signal identifies a small number of CloudTrail API actions that when observed could indicate an actors intent to enumerate the environment. These events are generally benign, and occur during normal operations. Use this signal as context around an unfolding security story. | cloud.aws.cloudtrail |
AWS CloudTrail - SQS List Queues Event | This event sourced from AWS SQS occurrs rarely. It could indicate that an adversary is attempting to collect information for later attack. When successful, the List Queues event returns all SQS queues that may be valid targets for further probing/attack. | cloud.aws.cloudtrail |
AWS CloudTrail - ScheduleKeyDeletion in KMS | Deleting cryptographic key material managed by KMS can be risky. The risk is that after key material is deleted, cypher text may remain that is now indecipherable. Because of this risk, AWS enforces a minimum 7 day waiting period. A key cannot be deleted, it must first be scheduled for deletion by the system. This signal indicates that a key has been scheduled or canceled for deletion. This signal in context of other signals around this entity may describe a hostile pattern of attack. | cloud.aws.cloudtrail |
AWS CloudTrail - Secrets Manager sensitive admin action observed | Administrative changes to the AWS Secrets Manager aren't overtly hostile, but are generally low volume and can be considered sensitive. These signals highlight when these actions occur and can be used in context of other suspicious activity to raise the risk of a hostile entity. Several Secrets Manager API actions are included and assessed as sensitive. | cloud.aws.cloudtrail |
AWS CloudTrail - sensitive activity in KMS | AWS KMS is an encryption and key management web service. Besides encrypting and decrypting data, users and adminstrators can use this service to create keys, manage keys etc. This signal indicates activity that enables and disables keys explicitly. This activity has been surveyed to be a low volume event and could be considered suspicious given other activity involving the entitiy. Additionally, monitoring for these events is required to achieve certain industry audit compliance. | cloud.aws.cloudtrail |
AWS Detect Role Creation | This search provides detection of role creation by IAM users. Role creation is an event by itself if user is creating a new role with trust policies different than the available in AWS and it can be used for lateral movement and escalation of privileges. | cloud.aws.cloudtrail |
AWS Detect Sts Assume Role Abuse | This search provides detection of suspicious use of sts:AssumeRole. These tokens can be created on the go and used by attackers to move laterally and escalate privileges. | cloud.aws.cloudtrail |
AWS Detect Permanent Key Creation | This search provides detection of accounts creating permanent keys. Permanent keys are not created by default and they are only needed for programmatic calls. Creation of Permanent key is an important event to monitor. | cloud.aws.cloudwatch |
AWS Detect Users With Kms Keys Performing Encryption S3 | This search provides detection of users with KMS keys performing encryption specifically against S3 buckets. | cloud.aws.cloudtrail |
AWS Network Access Control List Created With All Open Ports | The search looks for CloudTrail events to detect if any network ACLs were created with all the ports open to a specified CIDR. | cloud.aws.cloudtrail |
AWS Network Access Control List Deleted | Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. | cloud.aws.cloudtrail |
AWS Saml Access By Provider User And Principal | This search provides specific SAML access from specific Service Provider, user and targeted principal at AWS. This search provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider. | cloud.aws.cloudtrail |
Detect New Open S3 Buckets | This search looks for CloudTrail events where a user has created an open/public S3 bucket. | cloud.aws.cloudtrail |
New Container Uploaded To AWS Ecr | This searches show information on uploaded containers including source user, image id, source IP user type, http user agent, region, first time, last time of operation (PutImage). | cloud.aws.cloudtrail |
Detect AWS API Activities From Unapproved Accounts | This search looks for successful CloudTrail activity by user accounts that are not listed in the identity list. It returns event names and count, as well as the first and last time a specific user or service is detected, grouped by users. | cloud.aws.cloudtrail |
AWS Detect Sts Get Session Token Abuse | This search provides detection of suspicious use of sts:GetSessionToken. These tokens can be created on the go and used by attackers to move laterally and escalate privileges. | cloud.aws.cloudwatch |
Blocked Outbound Traffic From Your AWS | This search will detect spike in blocked outbound network connections originating from within your AWS environment. It will also update the cache file that factors in the latest data. | cloud.aws.cloudwatch |
AWS SAML Update Identity Provider | This search provides detection of updates to SAML provider in AWS. Updates to SAML provider need to be monitored closely as they may indicate possible perimeter compromise of federated credentials, or backdoor access from another cloud provider set by attacker. | cloud.aws.cloudtrail |
AWS Ecr Container Scanning Findings High | This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). You need to activate image scanning in order to get the event DescribeImageScanFindings with the results. | cloud.aws.cloudtrail |
AWS Ecr Container Scanning Findings Low Informational Unknown | This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). You need to activate image scanning in order to get the event DescribeImageScanFindings with the results. | cloud.aws.cloudtrail |
AWS Ecr Container Scanning Findings Medium | This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). You need to activate image scanning in order to get the event DescribeImageScanFindings with the results. | cloud.aws.cloudtrail |
AWS Ecr Container Upload Outside Business Hours | This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done during business hours. When done outside business hours, we want to take a look into it. Â | cloud.aws.cloudtrail |
AWS Ecr Container Upload Unknown User | Â This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done from only a few known users. When the user was never seen before, we should have a closer look into the event. | cloud.aws.cloudtrail |
AWS Iam Assume Role Policy Brute Force | The following detection identifies any malformed policy document exceptions with a status of failure. A malformed policy document exception occurs in instances where roles are attempted to be assumed, or brute forced. In a brute force attempt, using a tool like CloudSploit or Pacu, an attempt will look like arn:aws:iam::111111111111:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS. Meaning, when an adversary is attempting to identify a role name, multiple failures will occur. This detection focuses on the errors of a remote attempt that is failing. | cloud.aws.cloudtrail |
AWS Iam Delete Policy | The following detection identifes when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy. | cloud.aws.cloudtrail |
AWS Iam Successful Group Deletion | The following query uses IAM events to track the success of a group being deleted on AWS. This is typically not indicative of malicious behavior, but a precursor to additional events that may unfold. Review parallel IAM events - recently added users, new groups and so forth. Inversely, review failed attempts in a similar manner. | cloud.aws.cloudtrail |
AWS Set default policy version | This search looks for AWS CloudTrail events where a user has set a default policy versions. Attackers have been know to use this technique for Privilege Escalation in case the previous versions of the policy had permissions to access more resources than the current version of the policy | cloud.aws.cloudtrail |
AWS Update login profile | This search looks for AWS CloudTrail events where a user A who has already permission to update login profile, makes an API call to update login profile for another user B . Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B) | cloud.aws.cloudtrail |
Amazon VPC - Network Scan | Attackers will often perform reconnaissance against customer environments to better understand resources on the network. In doing this behavior they are usually blocked by firewall rules while performing their discovery. This rule looks for a single source IP address network traffic rejected by AWS security groups to at least 10 different destination IP addresses within a 5-minute window. Single source IP is denied to 10 IP addresses in 5 minutes | vpc.aws.flow |
Amazon VPC - Port Scan | Attackers will often perform reconnaissance against customer environments to better understand resources on the network. In doing this behavior they are usually blocked by firewall rules while performing their discovery. This rule looks for a single source IP address network traffic rejected by AWS security groups to multiple distinct destination port numbers within a short time window. Single source IP is denied to 5 destination ports in 5 minutes | vpc.aws.flow |
Â