Platform alert pack: AWS
- Borja Moro Moreno
Purpose
AWS is one of the biggest cloud providers in the world and will enable your organization to build, run and manage applications across multiple environments. This alert pack is a bundle of Devo’s Security Operations out-of-the-box detections that can help you obtain a quick coverage of alerts.
Included alerts
Security Operations application SecOps users can obtain detailed information if they install these alerts using the Content Manager instead. | ||
SecOpsAWSOpsWorksDescribePermissionsEvent | SecOpsAwsRoleCreated | SecOpsAwsSqsListQueues |
SecOpsAwsUpdateSAMLProvider | SecOpsAWSIAMUserGeneratingAccessDeniedErrorsAcrossMultipleActions | SecOpsAWSPermissionsBoundaryModifiedToRole |
SecOpsAWSSamlAccess | SecOpsAWSRootLogin | SecOpsLog4ShellVulnerabilityCloudAWS |
SecOpsAWSPermissionsBoundaryLiftedtoUser | SecOpsAWSSecretsManagerSensitiveAdminActionObserved | SecOpsAwsKmsSensitiveActivity |
SecOpsAWSMultipleFailedConsoleLoginsFromASourceIP | SecOpsAwsCloudTrailReconEvent | SecOpsAwsECRContainerScanningFindingsCritical |
SecOpsAWSIAMPolicyAppliedToGroup | SecOpsAWSPublicS3BucketExposed | SecOpsAWSOpenNetworkACLs |
SecOpsAWSLoggingConfigurationChangeObservedDeleteTrail | SecOpsAWSIAMPolicyAppliedToRole | SecOpsAWSLoggingConfigurationChangeObservedRemoveTags |
SecOpsAwsECRContainerUploadOutsideBusinessHours | SecOpsAWSUserSuccessfulLoginWithoutMFA | SecOpsAwsS3EncryptWithKMSKey |
SecOpsAWSDetectUsersCreatingKeysWithEncryptPolicyWithoutMFA | SecOpsAwsDbSnapshotCreated | SecOpsAWSExcessiveSecurityScanning |
SecOpsAwsEc2KeyAction | SecOpsAWSLoggingConfigurationChangeObservedStopLogging | SecOpsAwsMasterKeyDisabledOrDeletion |
SecOpsAWSIAMPolicyAppliedToUser | SecOpsAWSIAMDeletePolicy | SecOpsAWSCreatePolicyVersionToAllowAllResources |
SecOpsAWSCreateaccesskey | SecOpsAWSIAMCreateUserActionObserved | SecOpsAWSNewUserPoolClientCreated |
SecOpsAWSMultipleFailedConsoleLogins | SecOpsAWSNetworkAccessControlListDeleted | SecOpsAwsEcrImageUpload |
SecOpsAWSPermissionsBoundaryModifiedToUser | SecOpsAWSPermissionsBoundaryLiftedtoRole | SecOpsAWSIamSuccessfulGroupDeletion |
SecOpsAWSUpdateloginprofile | SecOpsAWSSetdefaultpolicyversion | SecOpsAwsPermanentKeyCreation |
SecOpsAWSDetectStsAssumeRoleAbuse | SecOpsAwsStsPossibleSessionTokenAbuse | SecOpsAwsGetSecretFromNonAmazonIp |
SecOpsAWSIAMAssumeRolePolicyBruteForce | SecOpsAwsKmsKeyDeletion | SecOpsAWSECRContainerScanningFindingsLowInformationalUnknown |
Prerequisites
To use this alert pack, you must have the following data sources available in your domain:
cloud.aws.cloudtraillearn morecloud.aws.cloudtrail.eventslearn more
Open alert pack
Once you have installed the desired alerts individually, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find them and later manage them as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).
Use alert pack
The alerts installed are deactivated by default. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.