Rules Contributing to Suspicious AWS Root Account Activity Alert
The following rules are used to identify suspicious activity with AWS Root Account. Any one or more of these will trigger the Suspicious AWS Root Account Activity Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
AWS Root Credentials |
Detects AWS root account usage More details
Rule IDQuery{'selection1': {'eventSource': 'signin.amazonaws.com'}, 'selection_usertype': {'userIdentity_type': 'Root'}, 'selection_eventtype': {'eventType': 'AwsServiceEvent'}, 'condition': 'selection1 and selection_usertype and not selection_eventtype'} Log SourceStellar Cyber AWS configured for:
Rule SourceSigmaHQ,8ad1600d-e9dc-4251-b0ee-a65268f29add Author: vitaliy0x1 Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
AWS Management Console Root Login |
Identifies a successful login to the AWS Management Console by the Root user. More details
Rule IDQuery{'selection1': {'eventSource': 'signin.amazonaws.com'}, 'selection2': {'eventName': 'ConsoleLogin'}, 'selection3': {'userIdentity_type': 'Root'}, 'condition': 'selection1 and selection2 and selection3'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Root access key created |
An access key was created for the root account. More details
Rule IDQuery{'selection1': {'eventSource': 'cloudtrail.amazonaws.com'}, 'selection2': {'userIdentity_type': 'Root'}, 'selection3': {'eventName': 'CreateAccessKey'}, 'condition': 'selection1 and selection2 and selection3'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|