Rules Contributing to Suspicious Modification of AWS CloudTrail Logs Alert
The following rules are used to identify suspicious activity within AWS Cloudtrail logs. Any one or more of these will trigger Suspicious Modification of AWS CloudTrail Logs Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
AWS CloudTrail Log Updated |
Identifies an update to an AWS log trail setting that specifies the delivery of log files. More details
Rule IDQuery{'selection1': {'eventSource': 'cloudtrail.amazonaws.com'}, 'selection2': {'eventName': 'UpdateTrail'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity25 Suppression Logic Based On
Additional Information
|
||||||||
Federated user attempting to assume role |
A federated user is attempting to assume a role. Federation users enable to manage access to AWS accounts by adding and removing users from the corporate directory, such as Microsoft Active Directory. More details
Rule IDQuery{'selection1': {'eventSource': 'cloudtrail.amazonaws.com'}, 'selection2': {'errorMessage': 'Roles may not be assumed by federated users'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
AWS Impair Security Services |
This analytic looks for several delete specific API calls made to AWS Security Services like CloudWatch, GuardDuty and Web Application Firewalls. More details
Rule IDQuery{'selection1': {'eventSource': 'cloudtrail.amazonaws.com'}, 'selection2': {'eventName': 'DeleteLogStream'}, 'selection3': {'eventName': 'DeleteDetector'}, 'selection4': {'eventName': 'DeleteIPSet'}, 'selection5': {'eventName': 'DeleteWebACL'}, 'selection6': {'eventName': 'DeleteRule'}, 'selection7': {'eventName': 'DeleteRuleGroup'}, 'selection8': {'eventName': 'DeleteLoggingConfiguration'}, 'selection9': {'eventName': 'DeleteAlarms'}, 'condition': 'selection1 and (selection2 or selection3 or selection4 or selection5 or selection6 or selection7 or selection8 or selection9)'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity70 Suppression Logic Based On
Additional Information
|
||||||||
AWS Privilege Escalation via Group/Role/User Policy |
Identifies the request for privilege escalation by modifying AWS Group/Role/User Policy More details
Rule IDQuery{'selection1': {'eventSource': 'cloudtrail.amazonaws.com', 'eventName': ['AttachGroupPolicy', 'PutGroupPolicy', 'AttachRolePolicy', 'PutRolePolicy', 'AttachUserPolicy', 'PutUserPolicy']}, 'selection2': {'requestParameters_policyArn': ['arn:aws:iam::aws:policy/AdministratorAccess', 'arn:aws:iam::aws:policy/AmazonSNSFullAccess', 'arn:aws:iam::aws:policy/AmazonEC2FullAccess', 'arn:aws:iam::aws:policy/AmazonS3FullAccess', 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess', 'arn:aws:iam::aws:policy/AWSCodeCommitPowerUser', 'arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser', 'arn:aws:iam::aws:policy/PowerUserAccess', 'arn:aws:iam::aws:policy/DatabaseAdministrator', 'arn:aws:iam::aws:policy/NetworkAdministrator', 'arn:aws:iam::aws:policy/SystemAdministrator', 'arn:aws:iam::aws:policy/Billing']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|