Rules Contributing to Suspicious Modification of AWS CloudTrail Logs Alert

The following rules are used to identify suspicious activity within AWS Cloudtrail logs. Any one or more of these will trigger Suspicious Modification of AWS CloudTrail Logs Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

AWS CloudTrail Log Updated

Identifies an update to an AWS log trail setting that specifies the delivery of log files.

Federated user attempting to assume role

A federated user is attempting to assume a role. Federation users enable to manage access to AWS accounts by adding and removing users from the corporate directory, such as Microsoft Active Directory.

AWS Impair Security Services

This analytic looks for several delete specific API calls made to AWS Security Services like CloudWatch, GuardDuty and Web Application Firewalls.

AWS Privilege Escalation via Group/Role/User Policy

Identifies the request for privilege escalation by modifying AWS Group/Role/User Policy