Tool
Splunk ESCU
2,101 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 2,1013CX Supply Chain Attack Network Indicators
The following analytic identifies DNS queries to domains associated with the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect these suspicious domain indicators. This activity is significant because it can indicate a potential compromise stemming from the 3CX supply chain attack, which is known for distributing malicious software through trusted updates. If confirmed malicious, this activity could allow attackers to establish a foothold in the network, exfiltrate sensitive data, or further propagate malware, leading to extensive damage and data breaches.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Network_Resolution where
DNS.query=*
NOT DNS.query IN ("-", "unknown")
by DNS.answer DNS.answer_count DNS.query
DNS.query_count DNS.reply_code_id DNS.src
DNS.vendor_product
| `drop_dm_object_name(DNS)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| lookup 3cx_ioc_domains domain as query OUTPUT Description isIOC
| search isIOC=true
| `3cx_supply_chain_attack_network_indicators_filter`
7zip CommandLine To SMB Share Path
The following analytic detects the execution of 7z or 7za processes with command lines pointing to SMB network shares. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it may indicate an attempt to archive and exfiltrate sensitive files to a network share, a technique observed in CONTI LEAK tools. If confirmed malicious, this behavior could lead to data exfiltration, compromising sensitive information and potentially aiding further attacks.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name ="7z.exe" OR Processes.process_name = "7za.exe" OR Processes.process_name = "7zr.exe" OR Processes.original_file_name = "7z.exe" OR Processes.original_file_name = "7za.exe" OR Processes.original_file_name = "7zr.exe") AND (Processes.process="*\\C$\\*" OR Processes.process="*\\Admin$\\*" OR Processes.process="*\\IPC$\\*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `7zip_commandline_to_smb_share_path_filter`
ASL AWS Concurrent Sessions From Different Ips
The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute span. This detection leverages AWS CloudTrail logs, specifically the `DescribeEventAggregates` API call, to identify multiple IP addresses associated with the same user session. This behavior is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this activity could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation.
Show query
`amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!="AWS Internal"
| bin span=5m _time
| stats min(_time) as firstTime max(_time) as lastTime values(api.operation) as api.operation values(api.service.name) as api.service.name values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_ip values(actor.user.account.uid) as actor.user.account.uid values(cloud.provider) as cloud.provider values(cloud.region) as cloud.region dc(src_endpoint.ip) as distinct_ip_count
BY _time actor.user.uid
| where distinct_ip_count > 1
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_concurrent_sessions_from_different_ips_filter`ASL AWS Create Access Key
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Show query
`amazon_security_lake` api.operation=CreateAccessKey
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_create_access_key_filter`ASL AWS Create Policy Version to allow all resources
The following analytic identifies the creation of a new AWS IAM policy version that allows access to all resources. It detects this activity by analyzing AWS CloudTrail logs for the CreatePolicyVersion event with a policy document that grants broad permissions. This behavior is significant because it violates the principle of least privilege, potentially exposing the environment to misuse or abuse. If confirmed malicious, an attacker could gain extensive access to AWS resources, leading to unauthorized actions, data exfiltration, or further compromise of the AWS environment.
Show query
`amazon_security_lake` api.operation=CreatePolicy
| spath input=api.request.data
| spath input=policyDocument
| regex Statement{}.Action="\*"
| regex Statement{}.Resource="\*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region api.request.data
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_create_policy_version_to_allow_all_resources_filter`ASL AWS Credential Access GetPasswordData
The following analytic identifiesGetPasswordData API calls in your AWS account. It leverages CloudTrail logs from Amazon Security Lake to detect this activity by counting the distinct instance IDs accessed. This behavior is significant as it may indicate an attempt to retrieve encrypted administrator passwords for running Windows instances, which is a critical security concern. If confirmed malicious, attackers could gain unauthorized access to administrative credentials, potentially leading to full control over the affected instances and further compromise of the AWS environment.
Show query
`amazon_security_lake` api.operation=GetPasswordData
| spath input=api.request.data
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region instanceId
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_credential_access_getpassworddata_filter`ASL AWS Credential Access RDS Password reset
The following analytic detects the resetting of the master user password for an Amazon RDS DB instance. It leverages AWS CloudTrail logs from Amazon Security Lake to identify events where the `ModifyDBInstance` API call includes a new `masterUserPassword` parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, such as credit card information, PII, and healthcare data. If confirmed malicious, this could lead to data breaches, regulatory non-compliance, and significant reputational damage. Immediate investigation is required to determine the legitimacy of the password reset.
Show query
`amazon_security_lake` api.operation=ModifyDBInstance OR api.operation=ModifyDBCluster
| spath input=api.request.data
| search masterUserPassword=*
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region api.request.data
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_credential_access_rds_password_reset_filter`ASL AWS Defense Evasion Delete CloudWatch Log Group
The following analytic detects the deletion of CloudWatch log groups in AWS, identified through `DeleteLogGroup` events in CloudTrail logs. This method leverages Amazon Security Lake logs parsed in the OCSF format. The activity is significant because attackers may delete log groups to evade detection and disrupt logging capabilities, hindering incident response efforts. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to undetected data breaches or further malicious actions within the compromised AWS environment.
Show query
`amazon_security_lake` api.operation=DeleteLogGroup
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`ASL AWS Defense Evasion Delete Cloudtrail
The following analytic detects AWS `DeleteTrail` events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
Show query
`amazon_security_lake` api.operation=DeleteTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`ASL AWS Defense Evasion Impair Security Services
The following analytic detects the deletion of critical AWS Security Services configurations, such as CloudWatch alarms, GuardDuty detectors, and Web Application Firewall rules. It leverages Amazon Security Lake logs to identify specific API calls like "DeleteLogStream" and "DeleteDetector." This activity is significant because adversaries often use these actions to disable security monitoring and evade detection. If confirmed malicious, this could allow attackers to operate undetected, leading to potential data breaches, unauthorized access, and prolonged persistence within the AWS environment.
Show query
`amazon_security_lake` api.operation IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms")
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_impair_security_services_filter`ASL AWS Defense Evasion PutBucketLifecycle
The following analytic detects `PutBucketLifecycle` events in AWS CloudTrail logs where a user sets a lifecycle rule for an S3 bucket with an expiration period of fewer than three days. This detection leverages CloudTrail logs to identify suspicious lifecycle configurations. This activity is significant because attackers may use it to delete CloudTrail logs quickly, thereby evading detection and impairing forensic investigations. If confirmed malicious, this could allow attackers to cover their tracks, making it difficult to trace their actions and respond to the breach effectively.
Show query
`amazon_security_lake` api.operation=PutBucketLifecycle
| spath input=api.request.data path=LifecycleConfiguration.Rule.NoncurrentVersionExpiration.NoncurrentDays output=NoncurrentDays
| where NoncurrentDays < 3
| spath input=api.request.data
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region NoncurrentDays
bucketName
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_putbucketlifecycle_filter`ASL AWS Defense Evasion Stop Logging Cloudtrail
The following analytic detects `StopLogging` events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker's actions.
Show query
`amazon_security_lake` api.operation=StopLogging
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`ASL AWS Defense Evasion Update Cloudtrail
The following analytic detects `UpdateTrail` events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary's intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations.
Show query
`amazon_security_lake` api.operation=UpdateTrail
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_update_cloudtrail_filter`ASL AWS Detect Users creating keys with encrypt policy without MFA
The following analytic detects the creation of AWS KMS keys with an encryption policy accessible to everyone, including external entities. It leverages AWS CloudTrail logs from Amazon Security Lake to identify `CreateKey` or `PutKeyPolicy` events where the `kms:Encrypt` action is granted to all principals. This activity is significant as it may indicate a compromised account, allowing an attacker to misuse the encryption key to target other organizations. If confirmed malicious, this could lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities.
Show query
`amazon_security_lake` api.operation=PutKeyPolicy OR api.operation=CreateKey
| spath input=api.request.data path=policy output=policy
| spath input=policy
| rename Statement{}.Action as Action, Statement{}.Principal as Principal
| eval Statement=mvzip(Action,Principal,"
| ")
| mvexpand Statement
| eval action=mvindex(split(Statement, "
| "), 0)
| eval principal=mvindex(split(Statement, "
| "), 1)
| search action=kms*
| regex principal="\*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region api.request.data
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`ASL AWS Disable Bucket Versioning
The following analytic detects when AWS S3 bucket versioning is suspended by a user. It leverages AWS CloudTrail logs to identify `PutBucketVersioning` events with the `VersioningConfiguration.Status` set to `Suspended`. This activity is significant because disabling versioning can prevent recovery of deleted or modified data, which is a common tactic in ransomware attacks. If confirmed malicious, this action could lead to data loss and hinder recovery efforts, severely impacting data integrity and availability.
Show query
`amazon_security_lake` api.operation=PutBucketVersioning
| spath input=api.request.data path=VersioningConfiguration.Status output=Status
| spath input=api.request.data path=bucketName output=bucketName
| search Status=Suspended
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region api.request.data
bucketName
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_disable_bucket_versioning_filter`ASL AWS EC2 Snapshot Shared Externally
The following analytic detects when an EC2 snapshot is shared publicly by analyzing AWS CloudTrail events. This detection method leverages CloudTrail logs to identify modifications in snapshot permissions, specifically when the snapshot is shared outside the originating AWS account. This activity is significant as it may indicate an attempt to exfiltrate sensitive data stored in the snapshot. If confirmed malicious, an attacker could gain unauthorized access to the snapshot's data, potentially leading to data breaches or further exploitation of the compromised information.
Show query
`amazon_security_lake` api.operation=ModifySnapshotAttribute
| spath input=api.request.data path=createVolumePermission.add.items{}.group output=group
| search group=all
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region api.request.data
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_ec2_snapshot_shared_externally_filter`ASL AWS ECR Container Upload Outside Business Hours
The following analytic detects the upload of new containers to AWS Elastic Container Service (ECR) outside of standard business hours through AWS CloudTrail events. It identifies this behavior by monitoring for `PutImage` events occurring before 8 AM or after 8 PM, as well as any uploads on weekends. This activity is significant for a SOC to investigate as it may indicate unauthorized access or malicious deployments, potentially leading to compromised services or data breaches. Identifying and addressing such uploads promptly can mitigate the risk of security incidents and their associated impacts.
Show query
`amazon_security_lake` api.operation=PutImage
| eval hour=strftime(time/pow(10,3), "%H"), weekday=strftime(time/pow(10,3), "%A")
| where hour >= 20 OR hour < 8 OR weekday=Saturday OR weekday=Sunday
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region api.request.data
bucketName
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_ecr_container_upload_outside_business_hours_filter`ASL AWS ECR Container Upload Unknown User
The following analytic detects unauthorized container uploads to AWS Elastic Container Service (ECR) by monitoring AWS CloudTrail events. It identifies instances where a new container is uploaded by a user not previously recognized as authorized. This detection is crucial for a SOC as it can indicate a potential compromise or misuse of AWS ECR, which could lead to unauthorized access to sensitive data or the deployment of malicious containers. By identifying and investigating these events, organizations can mitigate the risk of data breaches or other security incidents resulting from unauthorized container uploads. The impact of such an attack could be significant, compromising the integrity and security of the organization's cloud environment.
Show query
`amazon_security_lake` api.operation=PutImage NOT `aws_ecr_users_asl`
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_ecr_container_upload_unknown_user_filter`ASL AWS IAM AccessDenied Discovery Events
The following analytic identifies excessive AccessDenied events within an hour timeframe for IAM users in AWS. It leverages AWS CloudTrail logs to detect multiple failed access attempts from the same source IP and user identity. This activity is significant as it may indicate that an access key has been compromised and is being misused for unauthorized discovery actions. If confirmed malicious, this could allow attackers to gather information about the AWS environment, potentially leading to further exploitation or privilege escalation.
Show query
`amazon_security_lake` api.response.error=AccessDenied OR api.response.error=OperationNotPermittedException OR api.response.error=*Unauthorized* actor.user.type=IAMUser
| bucket _time span=1h
| stats count as failures min(_time) as firstTime max(_time) as lastTime dc(api.operation) as dc_operation, dc(api.service.name) as dc_service values(api.operation) as api.operation values(api.service.name) as api.service.name values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_ip values(actor.user.account.uid) as actor.user.account.uid values(cloud.provider) as cloud.provider values(cloud.region) as cloud.region
BY _time actor.user.uid
| where failures >= 5 AND dc_operation >= 1 AND dc_service >= 1
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_iam_accessdenied_discovery_events_filter`ASL AWS IAM Assume Role Policy Brute Force
The following analytic detects multiple failed attempts to assume an AWS IAM role, indicating a potential brute force attack. It leverages AWS CloudTrail logs to identify `MalformedPolicyDocumentException` errors with a status of `failure` and filters out legitimate AWS services. This activity is significant as repeated failures to assume roles can indicate an adversary attempting to guess role names, which is a precursor to unauthorized access. If confirmed malicious, this could lead to unauthorized access to AWS resources, potentially compromising sensitive data and services.
Show query
`amazon_security_lake` api.operation="AssumeRole" "api.response.error"=AccessDenied
| bucket _time span=1h
| stats count as failures min(_time) as firstTime max(_time) as lastTime values(api.operation) as api.operation values(api.service.name) as api.service.name values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_ip values(actor.user.account.uid) as actor.user.account.uid values(cloud.provider) as cloud.provider values(cloud.region) as cloud.region
BY _time actor.user.uid
| where failures >= 3
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_iam_assume_role_policy_brute_force_filter`ASL AWS IAM Delete Policy
The following analytic identifies when a policy is deleted in AWS. It leverages Amazon Security Lake logs to detect the DeletePolicy API operation. Monitoring policy deletions is crucial as it can indicate unauthorized attempts to weaken security controls. If confirmed malicious, this activity could allow an attacker to remove critical security policies, potentially leading to privilege escalation or unauthorized access to sensitive resources.
Show query
`amazon_security_lake` api.operation=DeletePolicy
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_iam_delete_policy_filter`ASL AWS IAM Failure Group Deletion
The following analytic detects failed attempts to delete AWS IAM groups, triggered by access denial, conflicts, or non-existent groups. It operates by monitoring CloudTrail logs for specific error codes related to deletion failures. This behavior is significant for a SOC as it may indicate unauthorized attempts to modify access controls or disrupt operations by removing groups. Such actions could be part of a larger attack aiming to escalate privileges or impair security protocols. Identifying these attempts allows for timely investigation and mitigation, preventing potential impact on the organizations security posture.
Show query
`amazon_security_lake` api.operation=DeleteGroup status=Failure http_request.user_agent!=*.amazonaws.com
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_iam_failure_group_deletion_filter`ASL AWS IAM Successful Group Deletion
The following analytic detects the successful deletion of a group within AWS IAM, leveraging CloudTrail IAM events. This action, while not inherently malicious, can serve as a precursor to more sinister activities, such as unauthorized access or privilege escalation attempts. By monitoring for such deletions, the analytic aids in identifying potential preparatory steps towards an attack, allowing for early detection and mitigation. The identification of this behavior is crucial for a SOC to prevent the potential impact of an attack, which could include unauthorized access to sensitive resources or disruption of AWS environment operations.
Show query
`amazon_security_lake` api.operation=DeleteGroup status=Success
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_iam_successful_group_deletion_filter`ASL AWS Multi-Factor Authentication Disabled
The following analytic detects attempts to disable multi-factor authentication (MFA) for an AWS IAM user. It leverages Amazon Security Lake logs, specifically monitoring for `DeleteVirtualMFADevice` or `DeactivateMFADevice` API operations. This activity is significant as disabling MFA can indicate an adversary attempting to weaken account security to maintain persistence using a compromised account. If confirmed malicious, this action could allow attackers to retain access to the AWS environment without detection, potentially leading to unauthorized access to sensitive resources and prolonged compromise.
Show query
`amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice)
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_multi_factor_authentication_disabled_filter`ASL AWS Network Access Control List Created with All Open Ports
The following analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR. It leverages AWS CloudTrail events, specifically monitoring for `CreateNetworkAclEntry` or `ReplaceNetworkAclEntry` actions with rules allowing all traffic. This activity is significant because it can expose the network to unauthorized access, increasing the risk of data breaches and other malicious activities. If confirmed malicious, an attacker could exploit this misconfiguration to gain unrestricted access to the network, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment.
Show query
`amazon_security_lake` api.operation=CreateNetworkAclEntry OR api.operation=ReplaceNetworkAclEntry status=Success
| spath input=api.request.data path=ruleAction output=ruleAction
| spath input=api.request.data path=egress output=egress
| spath input=api.request.data path=aclProtocol output=aclProtocol
| spath input=api.request.data path=cidrBlock output=cidrBlock
| spath input=api.request.data path=networkAclId output=networkAclId
| search ruleAction=allow AND egress=false AND aclProtocol=-1 AND cidrBlock=0.0.0.0/0
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region networkAclId
cidrBlock
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_network_access_control_list_created_with_all_open_ports_filter`ASL AWS Network Access Control List Deleted
The following analytic detects the deletion of AWS Network Access Control Lists (ACLs). It leverages AWS CloudTrail logs to identify events where a user deletes a network ACL entry. This activity is significant because deleting a network ACL can remove critical access restrictions, potentially allowing unauthorized access to cloud instances. If confirmed malicious, this action could enable attackers to bypass network security controls, leading to unauthorized access, data exfiltration, or further compromise of the cloud environment.
Show query
`amazon_security_lake` api.operation=DeleteNetworkAclEntry status=Success
| spath input=api.request.data path=egress output=egress
| spath input=api.request.data path=networkAclId output=networkAclId
| search egress=false
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region networkAclId
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_network_access_control_list_deleted_filter`ASL AWS New MFA Method Registered For User
The following analytic identifies the registration of a new Multi-Factor Authentication (MFA) method for an AWS account, as logged through Amazon Security Lake (ASL). It detects this activity by monitoring the `CreateVirtualMFADevice` API operation within ASL logs. This behavior is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this activity could allow attackers to secure their access, making it harder to detect and remove their presence from the compromised environment.
Show query
`amazon_security_lake` api.operation=CreateVirtualMFADevice
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_new_mfa_method_registered_for_user_filter`ASL AWS SAML Update identity provider
The following analytic detects updates to the SAML provider in AWS. It leverages AWS CloudTrail logs to identify the `UpdateSAMLProvider` event, analyzing fields such as `sAMLProviderArn`, `sourceIPAddress`, and `userIdentity` details. Monitoring updates to the SAML provider is crucial as it may indicate a perimeter compromise of federated credentials or unauthorized backdoor access set by an attacker. If confirmed malicious, this activity could allow attackers to manipulate identity federation, potentially leading to unauthorized access to cloud resources and sensitive data.
Show query
`amazon_security_lake` api.operation=UpdateSAMLProvider
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_saml_update_identity_provider_filter`ASL AWS UpdateLoginProfile
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Show query
`amazon_security_lake` api.operation=UpdateLoginProfile
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor.user.uid api.operation api.service.name
http_request.user_agent src_endpoint.ip actor.user.account.uid
cloud.provider cloud.region
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_updateloginprofile_filter`AWS AMI Attribute Modification for Exfiltration
The following analytic detects suspicious modifications to AWS AMI attributes, such as sharing an AMI with another AWS account or making it publicly accessible. It leverages AWS CloudTrail logs to identify these changes by monitoring specific API calls. This activity is significant because adversaries can exploit these modifications to exfiltrate sensitive data stored in AWS resources. If confirmed malicious, this could lead to unauthorized access and potential data breaches, compromising the confidentiality and integrity of organizational information.
Show query
`cloudtrail` eventName=ModifyImageAttribute (requestParameters.launchPermission.add.items{}.userId = * OR requestParameters.launchPermission.add.items{}.group = all)
| rename requestParameters.launchPermission.add.items{}.group as group_added
| rename requestParameters.launchPermission.add.items{}.userId as accounts_added
| eval ami_status=if(match(group_added,"all") ,"Public AMI", "Not Public")
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime values(group_added) as group_added values(accounts_added) as accounts_added values(ami_status) as ami_status
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_ami_attribute_modification_for_exfiltration_filter`AWS Bedrock Delete GuardRails
The following analytic identifies attempts to delete AWS Bedrock GuardRails, which are security controls designed to prevent harmful, biased, or inappropriate AI outputs. It leverages AWS CloudTrail logs to detect when a user or service calls the DeleteGuardrail API. This activity is significant as it may indicate an adversary attempting to remove safety guardrails after compromising credentials, potentially to enable harmful or malicious model outputs. Removing guardrails could allow attackers to extract sensitive information, generate offensive content, or bypass security controls designed to prevent prompt injection and other AI-specific attacks. If confirmed malicious, this could represent a deliberate attempt to manipulate model behavior for harmful purposes.
Show query
`cloudtrail` eventSource=bedrock.amazonaws.com eventName=DeleteGuardrail | rename user_name as user | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.guardrailIdentifier) as guardrailIds by src user user_agent vendor_account vendor_product dest signature vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_bedrock_delete_guardrails_filter`
AWS Bedrock Delete Knowledge Base
The following analytic identifies attempts to delete AWS Bedrock Knowledge Bases, which are resources that store and manage domain-specific information for AI models. It monitors AWS CloudTrail logs for DeleteKnowledgeBase API calls. This activity could indicate an adversary attempting to remove knowledge bases after compromising credentials, potentially to disrupt business operations or remove traces of data access. Deleting knowledge bases could impact model performance, remove critical business context, or be part of a larger attack to degrade AI capabilities. If confirmed malicious, this could represent a deliberate attempt to cause service disruption or data loss.
Show query
`cloudtrail` eventSource=bedrock.amazonaws.com eventName=DeleteKnowledgeBase | rename user_name as user | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.knowledgeBaseId) as knowledgeBaseIds by src user user_agent vendor_account vendor_product dest signature vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_bedrock_delete_knowledge_base_filter`
AWS Bedrock Delete Model Invocation Logging Configuration
The following analytic identifies attempts to delete AWS Bedrock model invocation logging configurations. It leverages AWS CloudTrail logs to detect when a user or service calls the DeleteModelInvocationLogging API. This activity is significant as it may indicate an adversary attempting to remove audit trails of model interactions after compromising credentials. Deleting model invocation logs could allow attackers to interact with AI models without leaving traces, potentially enabling them to conduct data exfiltration, prompt injection attacks, or other malicious activities without detection. If confirmed malicious, this could represent a deliberate attempt to hide unauthorized model usage and evade detection.
Show query
`cloudtrail` eventSource=bedrock.amazonaws.com eventName=DeleteModelInvocationLoggingConfiguration | rename user_name as user | stats count min(_time) as firstTime max(_time) as lastTime by src user user_agent vendor_account vendor_product dest signature vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_bedrock_delete_model_invocation_logging_configuration_filter`
AWS Bedrock High Number List Foundation Model Failures
The following analytic identifies an high number of AccessDenied attempts to list AWS Bedrock foundation models. It leverages AWS CloudTrail logs to detect when a user or service experiences multiple failures when calling the ListFoundationModels API. This activity is significant as it may indicate an adversary performing reconnaissance of available AI models after compromising credentials with limited permissions. Repeated failures could suggest brute force attempts to enumerate accessible resources or misconfigured access controls. If confirmed malicious, this could represent early-stage reconnaissance before attempting to access or manipulate Bedrock models or knowledge bases.
Show query
`cloudtrail` eventSource=bedrock.amazonaws.com eventName=ListFoundationModels errorCode=AccessDenied | rename user_name as user | stats count min(_time) as firstTime max(_time) as lastTime values(errorCode) as errorCodes values(errorMessage) as errorMessages by src user user_agent vendor_account vendor_product dest signature vendor_region | where count > 9 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_bedrock_high_number_list_foundation_model_failures_filter`
AWS Bedrock Invoke Model Access Denied
The following analytic identifies access denied error when attempting to invoke AWS Bedrock models. It leverages AWS CloudTrail logs to detect when a user or service receives an AccessDenied error when calling the InvokeModel API. This activity is significant as it may indicate an adversary attempting to access Bedrock models with insufficient permissions after compromising credentials. If confirmed malicious, this could suggest reconnaissance activities or privilege escalation attempts targeting generative AI resources, potentially leading to data exfiltration or manipulation of model outputs.
Show query
`cloudtrail` eventSource=bedrock.amazonaws.com eventName=InvokeModel errorCode=AccessDenied | rename user_name as user | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.modelId) as modelIds by src user user_agent vendor_account vendor_product dest signature vendor_region result result_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_bedrock_invoke_model_access_denied_filter`
AWS Concurrent Sessions From Different Ips
The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute window. It leverages AWS CloudTrail logs, specifically the `DescribeEventAggregates` event, to detect this behavior. This activity is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation within the AWS environment.
Show query
`cloudtrail` eventName = DescribeEventAggregates src_ip!="AWS Internal"
| bin span=5m _time
| rename user_name as user
| stats min(_time) as firstTime max(_time) as lastTime values(user_agent) as user_agent values(signature) as signature values(src) as src values(dest) as dest dc(src) as distinct_ip_count
BY _time user vendor_account
vendor_region vendor_product
| where distinct_ip_count > 1
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_concurrent_sessions_from_different_ips_filter`AWS Console Login Failed During MFA Challenge
The following analytic identifies failed authentication attempts to the AWS Console during the Multi-Factor Authentication (MFA) challenge. It leverages AWS CloudTrail logs, specifically the `additionalEventData` field, to detect when MFA was used but the login attempt still failed. This activity is significant as it may indicate an adversary attempting to access an account with compromised credentials but being thwarted by MFA. If confirmed malicious, this could suggest an ongoing attempt to breach the account, potentially leading to unauthorized access and further attacks if MFA is bypassed.
Show query
`cloudtrail` eventName= ConsoleLogin errorMessage="Failed authentication" additionalEventData.MFAUsed = "Yes"
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product additionalEventData.MFAUsed
errorMessage
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_console_login_failed_during_mfa_challenge_filter`AWS Create Policy Version to allow all resources
The following analytic identifies the creation of a new AWS IAM policy version that allows access to all resources. It detects this activity by analyzing AWS CloudTrail logs for the CreatePolicyVersion event with a policy document that grants broad permissions. This behavior is significant because it violates the principle of least privilege, potentially exposing the environment to misuse or abuse. If confirmed malicious, an attacker could gain extensive access to AWS resources, leading to unauthorized actions, data exfiltration, or further compromise of the AWS environment.
Show query
`cloudtrail` eventName=CreatePolicyVersion eventSource = iam.amazonaws.com errorCode = success
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{}
| mvexpand key_policy_statements
| spath input=key_policy_statements output=key_policy_action_1 path=Action
| where key_policy_action_1 = "*"
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_create_policy_version_to_allow_all_resources_filter`AWS CreateAccessKey
The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
Show query
`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0)
| search match=0
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_createaccesskey_filter`AWS CreateLoginProfile
The following analytic identifies the creation of a login profile for one AWS user by another, followed by a console login from the same source IP. It uses AWS CloudTrail logs to correlate the `CreateLoginProfile` and `ConsoleLogin` events based on the source IP and user identity. This activity is significant as it may indicate privilege escalation, where an attacker creates a new login profile to gain unauthorized access. If confirmed malicious, this could allow the attacker to escalate privileges and maintain persistent access to the AWS environment.
Show query
`cloudtrail` eventName = CreateLoginProfile
| rename requestParameters.userName as new_login_profile
| table src_ip eventName new_login_profile userIdentity.userName
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin
| rename userIdentity.userName as new_login_profile
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime
BY eventSource aws_account_id errorCode
user_agent eventID awsRegion
userIdentity.principalId user_arn new_login_profile
src_ip dest vendor_account
vendor_region vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`]
| rename user_arn as user
| `aws_createloginprofile_filter`AWS Credential Access Failed Login
The following analytic identifies unsuccessful login attempts to the AWS Management Console using a specific user identity. It leverages AWS CloudTrail logs to detect failed authentication events associated with the AWS ConsoleLogin action. This activity is significant for a SOC because repeated failed login attempts may indicate a brute force attack or unauthorized access attempts. If confirmed malicious, an attacker could potentially gain access to AWS account services and resources, leading to data breaches, resource manipulation, or further exploitation within the AWS environment.
Show query
`cloudtrail` eventName = ConsoleLogin errorMessage="Failed authentication"
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_credential_access_failed_login_filter`AWS Credential Access GetPasswordData
The following analytic identifies more than 10 GetPasswordData API calls within a 5-minute window in your AWS account. It leverages AWS CloudTrail logs to detect this activity by counting the distinct instance IDs accessed. This behavior is significant as it may indicate an attempt to retrieve encrypted administrator passwords for running Windows instances, which is a critical security concern. If confirmed malicious, attackers could gain unauthorized access to administrative credentials, potentially leading to full control over the affected instances and further compromise of the AWS environment.
Show query
`cloudtrail` eventName=GetPasswordData eventSource = ec2.amazonaws.com
| bin _time span=5m
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime dc(requestParameters.instanceId) as distinct_instance_ids
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product
| where distinct_instance_ids > 10
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_credential_access_getpassworddata_filter`AWS Credential Access RDS Password reset
The following analytic detects the resetting of the master user password for an Amazon RDS DB instance. It leverages AWS CloudTrail logs to identify events where the `ModifyDBInstance` API call includes a new `masterUserPassword` parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, such as credit card information, PII, and healthcare data. If confirmed malicious, this could lead to data breaches, regulatory non-compliance, and significant reputational damage. Immediate investigation is required to determine the legitimacy of the password reset.
Show query
`cloudtrail` eventSource="rds.amazonaws.com" eventName=ModifyDBInstance "requestParameters.masterUserPassword"=*
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.dBInstanceIdentifier) as database_id
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_credential_access_rds_password_reset_filter`AWS Defense Evasion Delete CloudWatch Log Group
The following analytic detects the deletion of CloudWatch log groups in AWS, identified through `DeleteLogGroup` events in CloudTrail logs. This detection leverages CloudTrail data to monitor for successful log group deletions, excluding console-based actions. This activity is significant as it indicates potential attempts to evade logging and monitoring, which is crucial for maintaining visibility into AWS activities. If confirmed malicious, this could allow attackers to hide their tracks, making it difficult to detect further malicious actions or investigate incidents within the compromised AWS environment.
Show query
`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`AWS Defense Evasion Delete Cloudtrail
The following analytic detects the deletion of AWS CloudTrail logs by identifying `DeleteTrail` events within CloudTrail logs. This detection leverages CloudTrail data to monitor for successful `DeleteTrail` actions, excluding those initiated from the AWS console. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to prolonged unauthorized access and further exploitation.
Show query
`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`AWS Defense Evasion Impair Security Services
The following analytic detects attempts to impair or disable AWS security services by monitoring specific deletion operations across GuardDuty, AWS WAF (classic and v2), CloudWatch, Route 53, and CloudWatch Logs. These actions include deleting detectors, rule groups, IP sets, web ACLs, logging configurations, alarms, and log streams. Adversaries may perform such operations to evade detection or remove visibility from defenders. By explicitly pairing eventName values with their corresponding eventSource services, this detection reduces noise and ensures that only security-related deletions are flagged. It leverages CloudTrail logs to identify specific API calls like "DeleteLogStream" and "DeleteDetector." This activity is significant because it indicates potential efforts to disable security monitoring and evade detection. If confirmed malicious, this could allow attackers to operate undetected, escalate privileges, or exfiltrate data without triggering security alerts, severely compromising the security posture of the AWS environment.
Show query
`cloudtrail`
(eventName="DeleteDetector" AND eventSource="guardduty.amazonaws.com") OR ( eventName IN ("DeleteIPSet", "DeleteWebACL", "DeleteRuleGroup", "DeleteRule") AND eventSource IN ("guardduty.amazonaws.com", "wafv2.amazonaws.com", "waf.amazonaws.com") ) OR ( eventName="DeleteLoggingConfiguration" AND eventSource IN ("wafv2.amazonaws.com", "waf.amazonaws.com", "route53.amazonaws.com") )
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime by signature dest user user_agent src vendor_account vendor_region vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_impair_security_services_filter`
AWS Defense Evasion PutBucketLifecycle
The following analytic detects `PutBucketLifecycle` events in AWS CloudTrail logs where a user sets a lifecycle rule for an S3 bucket with an expiration period of fewer than three days. This detection leverages CloudTrail logs to identify suspicious lifecycle configurations. This activity is significant because attackers may use it to delete CloudTrail logs quickly, thereby evading detection and impairing forensic investigations. If confirmed malicious, this could allow attackers to cover their tracks, making it difficult to trace their actions and respond to the breach effectively.
Show query
`cloudtrail` eventName=PutBucketLifecycle user_type=IAMUser errorCode=success
| spath path=requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days output=expiration_days
| spath path=requestParameters{}.bucketName output=bucket_name
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product bucket_name
expiration_days
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_putbucketlifecycle_filter`AWS Defense Evasion Stop Logging Cloudtrail
The following analytic detects `StopLogging` events in AWS CloudTrail logs. It leverages CloudTrail event data to identify when logging is intentionally stopped, excluding console-based actions and focusing on successful attempts. This activity is significant because adversaries may stop logging to evade detection and operate stealthily within the compromised environment. If confirmed malicious, this action could allow attackers to perform further activities without being logged, hindering incident response and forensic investigations, and potentially leading to unauthorized access or data exfiltration.
Show query
`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent!=console.amazonaws.com errorCode = success
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_stop_logging_cloudtrail_filter`AWS Defense Evasion Update Cloudtrail
The following analytic detects `UpdateTrail` events in AWS CloudTrail logs. It identifies attempts to modify CloudTrail settings, potentially to evade logging. The detection leverages CloudTrail logs, focusing on `UpdateTrail` events where the user agent is not the AWS console and the operation is successful. This activity is significant because altering CloudTrail settings can disable or limit logging, hindering visibility into AWS account activities. If confirmed malicious, this could allow attackers to operate undetected, compromising the integrity and security of the AWS environment.
Show query
`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`AWS Detect Users creating keys with encrypt policy without MFA
The following analytic detects the creation of AWS KMS keys with an encryption policy accessible to everyone, including external entities. It leverages AWS CloudTrail logs to identify `CreateKey` or `PutKeyPolicy` events where the `kms:Encrypt` action is granted to all principals. This activity is significant as it may indicate a compromised account, allowing an attacker to misuse the encryption key to target other organizations. If confirmed malicious, this could lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities.
Show query
`cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy
| spath input=requestParameters.policy output=key_policy_statements path=Statement{}
| mvexpand key_policy_statements
| spath input=key_policy_statements output=key_policy_action_1 path=Action
| spath input=key_policy_statements output=key_policy_action_2 path=Action{}
| eval key_policy_action=mvappend(key_policy_action_1,key_policy_action_2)
| spath input=key_policy_statements output=key_policy_principal path=Principal.AWS
| search key_policy_action="kms:Encrypt" AND key_policy_principal="*"
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product key_policy_action
key_policy_principal
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`Showing 1-50 of 2,101