Rules Contributing to Suspicious Modification of S3 Bucket Alert
The following rules are used to identify suspicious activity within S3 Bucket logs. Any one or more of these will trigger the Suspicious Modification of S3 Bucket Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
AWS S3 Data Management Tampering |
Detects when a user tampers with S3 data management in Amazon Web Services. More details
Rule IDQuery{'selection': {'eventSource': 's3.amazonaws.com', 'eventName': ['PutBucketLogging', 'PutBucketWebsite', 'PutEncryptionConfiguration', 'PutLifecycleConfiguration', 'PutReplicationConfiguration', 'ReplicateObject', 'RestoreObject']}, 'condition': 'selection'} Log SourceStellar Cyber AWS configured for:
Rule SourceSigmaHQ,78b3756a-7804-4ef7-8555-7b9024a02e2d Author: Austin Songer @austinsonger Tactics, Techniques, and ProceduresReferences
Severity25 Suppression Logic Based On
Additional Information
|
||||||||
AWS S3 Bucket Configuration Deletion |
Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components. More details
Rule IDQuery{'selection1': {'eventSource': 's3.amazonaws.com'}, 'selection2': {'eventName': ['DeleteBucketPolicy', 'DeleteBucketReplication', 'DeleteBucketCors', 'DeleteBucketEncryption', 'DeleteBucketLifecycle']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity25 Suppression Logic Based On
Additional Information
|
||||||||
Modification of AWS S3 Access Control List |
This search detects modification of Access Control List of an S3 Bucket. More details
Rule IDQuery{'selection2': {'eventSource': 's3.amazonaws.com'}, 'selection3': {'eventName': 'PutBucketAcl'}, 'condition': 'selection2 and selection3'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity60 Suppression Logic Based On
Additional Information
|
||||||||
AWS Defense Evasion PutBucketLifecycle |
This analytic identifies `PutBucketLifecycle` events in CloudTrail logs where a user has created a new lifecycle rule for an S3 bucket with a short expiration period. More details
Rule IDQuery{'selection1': {'eventSource': 's3.amazonaws.com'}, 'selection2': {'eventName': 'PutBucketLifecycle'}, 'selection3': {'userIdentity_type': 'IAMUser'}, 'selection4': {'errorCode': 'success'}, 'condition': 'selection1 and selection2 and selection3 and selection4'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|