EXPLORE DETECTIONS
AWS Bucket Deleted
Detects the deletion of S3 buckets in AWS CloudTrail logs. Monitoring the deletion of S3 buckets is critical for security and data integrity, as it may indicate potential data loss or unauthorized access attempts.
AWS CloudTrail Important Change
Detects disabling, deleting and updating of a Trail
AWS Config Disabling Channel/Recorder
Detects AWS Config Service disabling
AWS Console GetSigninToken Potential Abuse
Detects potentially suspicious events involving "GetSigninToken". An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.
AWS ConsoleLogin Failed Authentication
Detects failed AWS console login attempts due to authentication failures. Monitoring these events is crucial for identifying potential brute-force attacks or unauthorized access attempts to AWS accounts.
AWS EC2 Disable EBS Encryption
Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes.
AWS EC2 Startup Shell Script Change
Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
AWS EC2 VM Export Failure
An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
AWS ECS Task Definition That Queries The Credential Endpoint
Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint. This can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges.
AWS EFS Fileshare Modified or Deleted
Detects when a EFS Fileshare is modified or deleted. You can't delete a file system that is in use. If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.
AWS EFS Fileshare Mount Modified or Deleted
Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.
AWS EKS Cluster Created or Deleted
Identifies when an EKS cluster is created or deleted.
AWS ElastiCache Security Group Created
Detects when an ElastiCache security group has been created.
AWS ElastiCache Security Group Modified or Deleted
Identifies when an ElastiCache security group has been modified or deleted.
AWS EnableRegion Command Monitoring
Detects the use of the EnableRegion command in AWS CloudTrail logs. While AWS has 30+ regions, some of them are enabled by default, others must be explicitly enabled in each account separately. There may be situations where security monitoring does not cover some new AWS regions. Monitoring the EnableRegion command is important for identifying potential persistence mechanisms employed by adversaries, as enabling additional regions can facilitate continued access and operations within an AWS environment.
AWS Glue Development Endpoint Activity
Detects possible suspicious glue development endpoint activity.
AWS GuardDuty Detector Deleted Or Updated
Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. Verify with the user identity that this activity is legitimate.
AWS GuardDuty Important Change
Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
AWS IAM Backdoor Users Keys
Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
AWS IAM S3Browser LoginProfile Creation
Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
AWS IAM S3Browser Templated S3 Bucket Policy Creation
Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
AWS IAM S3Browser User or AccessKey Creation
Detects S3 Browser utility creating IAM User or AccessKey.
AWS Identity Center Identity Provider Change
Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.
AWS Key Pair Import Activity
Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.