AWS

This alert detects users that received the errorCode value AccessDenied when trying to perform different actions within a short period of time. This could indicate that a user is trying to enumerate their permissions in their AWS account.

This alert filters by events where the errorCode AccessDenied is present and groups every 5 minutes by user arn and aws account.

Source table → cloud.aws.cloudtrail 

A successful AWS console login without MFA was detected. AWS security best practices recommend enabling this security measure for console access login.

This alert filters CloudTrail events from signin.amazonaws.com with ConsoleLogin as eventName, a success response, and the MFA value not enabled.

Source table → cloud.aws.cloudtrail 

This alert detects when a UserPoolClient entity is created. These types of entities could be used by an attacker to perform unauthenticated API operations.

This alert filters CloudTrail events from cognito-idp.amazonaws.com with CreateUserPoolClient as eventName.

Source table → cloud.aws.cloudtrail 

Detects when a Customer Master Key (CMK) is disabled or scheduled for deletion.

Source table → cloud.aws.cloudtrail

Creating DB snapshots is an efficient way for an attacker to begin downloading a target database. These signals should be considered around the context of other signals that may indicate data theft is in progress.

Source table → cloud.aws.cloudtrail