aws | LoFP

aws rule

Title	Tags
a database instance may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. instances creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	aws elastic
a domain may be transferred to another aws account by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. domain transfers from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1098 aws elastic
a domain transfer lock may be disabled by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. activity from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1098 aws elastic
a elasticache security group deletion may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1562 aws elastic
a elasticache security group may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1562 aws elastic
a group may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. group creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1136 aws elastic
a kms customer managed key may be disabled or scheduled for deletion by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. key deletions by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1485 aws elastic
a log stream may be deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. log stream deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1485 t1562 aws elastic
a mfa device may be deactivated by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. mfa device deactivations from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1531 t1556 aws elastic
a private hosted zone may be asssociated with a vpc by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. if known behavior is causing false positives, it can be exempted from the rule.	t1098 aws elastic
a resource group may be deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. resource group deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1531 aws elastic
a s3 configuration change may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. s3 configuration change from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1537 aws sigma
a security group may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1562 aws elastic
a single port being opened for a new service that is known to be deploying	t1190 aws sigma
a team has configured an ec2 instance to use instance profiles that grant the option for the ec2 instance to talk to other aws services	t1078 t1078.002 aws sigma
adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)	t1098 aws sigma
adding users to a specified group may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. user additions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1098 aws elastic
administrators closing unused ports to reduce the attack surface	t1190 aws sigma
administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity.	t1580 aws sigma
administrators may legitimately access, delete, and replace objects in s3 buckets. ensure that the sequence of events is not part of a legitimate operation before taking action.	t1485 aws elastic
administrators may legitimately add security group rules to allow traffic from any ip address or from specific ip addresses to common remote access ports.	t1562 aws elastic
administrators may upload ssh public keys to ec2 instances for legitimate purposes.	t1098 aws elastic
administrators or automated systems may legitimately perform multiple `describe` and `list` api calls in a short time frame. verify the user identity and the purpose of the api calls to determine if the behavior is expected.	t1580 aws elastic
administrators within an aws organization structure may legitimately encrypt bucket objects with a key from an account different from the target bucket. ensure that this behavior is not part of a legitimate operation before taking action.	t1486 aws elastic
administrators within an aws organization structure may legitimately suspend object versioning. ensure that this behavior is not part of a legitimate operation before taking action.	t1490 aws elastic
ami sharing is a common practice in aws environments. ensure that the sharing is authorized before taking action.	t1537 aws elastic
an rds security group deletion may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1531 aws elastic
an rds security group may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1136 aws elastic
applications integrated with aws might assume roles to access aws resources.	t1548 t1550 aws elastic
assumed roles may be used by legitimate automated systems to create iam users for specific workflows. verify if this event aligns with known automation activities. if the action is routine for specific roles or user agents (e.g., `aws-cli`, `boto3`), consider adding those roles or user agents to a monitored exception list for streamlined review.	t1136 aws elastic
assumerole from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1548 t1550 t1550.001 aws sigma
assumerole may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.	t1548 t1550 t1550.001 aws sigma
authorized changes to the aws account's identity provider	t1556 aws sigma
automated processes for infrastructure setup may trigger this alert.	t1078 aws sigma
automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives.	t1110 okta aws o365 elastic
automated processes that uses terraform may lead to false positives.	t1078 t1548 t1550 t1550.001 aws sigma
automated processes using tools like terraform may trigger this alert.	t1078 t1078.004 t1531 aws sigma
automated workflows might assume roles to perform periodic tasks such as data backups, updates, or deployments.	t1548 t1550 aws elastic
automated workflows might assume root to perform periodic administrative tasks.	t1098 t1548 aws elastic
aws administrator legitimately disabling bucket versioning	t1490 aws sigma
aws administrators or automated processes might regularly assume roles for legitimate administrative purposes.	t1548 t1550 aws elastic
aws administrators or automated processes might regularly assume root for legitimate administrative purposes.	t1098 t1548 aws elastic
aws api keys legitimate exchange workflows	t1098 aws sigma
aws iam roles anywhere trust anchors are legitimate profiles that can be created by administrators to allow access from any location. ensure that the trust anchor is created by a legitimate administrator and that the external certificate authority is authorized.	t1098 aws elastic
aws roles anywhere profiles are legitimate profiles that can be created by administrators to allow access from any location. ensure that the profile created is expected and that the trust policy is configured securely.	t1098 aws elastic
aws services might assume roles to access aws resources as part of their standard operations.	t1548 t1550 aws elastic
aws services might assume root to access aws resources as part of their standard operations.	t1098 t1548 aws elastic
aws tasks that require aws account root user credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html	t1078 t1078.004 aws sigma
benign changes to a db instance	t1020 aws sigma
bucket components may be deleted by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. bucket component deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1070 aws elastic
bucket components may be deleted or adjusted by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. bucket component deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1070 aws elastic
bucket logging may be disabled by a system or network administrator. verify whether the user identity and/or user agent should be making changes in your environment. bucket component deletions by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1562 aws elastic
bucket replication accross accounts is a legitimate practice in some aws environments. ensure that the sharing is authorized before taking action.	t1537 aws elastic
changes to security groups to allow for new services to be deployed	t1190 aws sigma
clusters or instances may be deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. cluster or instance deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1485 aws elastic
confirm if the modification or deletion was part of a planned change or maintenance activity.	t1020 aws sigma
creating a lambda function url configuration from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	aws sigma
creating a lambda function url configuration may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.	aws sigma
creation of a new database that needs new security group rules	t1190 aws sigma
db snapshot sharing is a common practice in aws environments. ensure that the sharing is authorized before taking action.	t1537 aws elastic
deletions by unfamiliar users should be investigated. if the behavior is known and expected, it can be exempted from the rule.	t1078 t1078.004 t1531 aws sigma
dev, uat, sat environment. you should apply this rule with prod account only.	t1486 t1565 aws sigma
dev, uat, sat environment. you should apply this rule with prod environment only.	t1562 aws sigma
disabling encryption may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. disabling encryption by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1565 aws elastic
eks cluster being created or deleted may be performed by a system administrator.	t1485 aws sigma
eks cluster created or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1485 aws sigma
eventbridge rules could be deleted or disabled by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. eventbridge rules being deleted or disabled by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1489 aws elastic
exporting snapshots may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. snapshot exports from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	aws _deprecated elastic
file system or mount being deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. file system mount deletion by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1485 aws elastic
firewall acl's may be deleted by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. web acl deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1562 aws elastic
getsessiontoken may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. getsessiontoken from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1548 t1550 aws elastic
getsignintoken events will occur when using aws sso portal to login and will generate false positives if you do not filter for the expected user agent(s), see filter. non-sso configured roles would be abnormal and should be investigated.	t1021 t1021.007 t1550 t1550.001 aws sigma
glue development endpoint activity may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.	aws sigma
iam users may occasionally share ec2 snapshots with another aws account belonging to the same organization. if known behavior is causing false positives, it can be exempted from the rule.	t1537 aws elastic
if known behavior is causing false positives, it can be exempted from the rule.	t1053 t1053.003 t1074 t1078 t1552 t1552.007 gcp aws azure sigma
it's strongly recommended that the root user is not used for everyday tasks, including the administrative ones. verify whether the ip address, location, and/or hostname should be logging in as root in your environment. unfamiliar root logins should be investigated immediately. if known behavior is causing false positives, it can be exempted from the rule.	t1078 aws elastic
known or internal account ids or automation	T1530 t1580 T1657 aws elastic
lambda function owners may add layers to their functions for legitimate purposes.	T1648 aws elastic
lambda function owners may legitimately update the function policy to allow public invocation.	t1546 aws elastic
lambda layer being attached from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	aws sigma
lambda layer being attached may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.	aws sigma
legitimate administrative actions by authorized system administrators could cause this alert. verify the user identity, user agent, and hostname to ensure they are expected.	t1078 t1078.004 t1531 aws sigma
legitimate administrative actions by authorized users importing keys for valid purposes.	t1078 aws sigma
legitimate changes to share an s3 bucket with an external account may be identified as false positive but are not best practice.	t1537 aws elastic
legitimate deletion of route53 resolver query log configuration by authorized personnel.	t1562 aws elastic
legitimate iam administrators may attach customer-managed policies to roles for various reasons, such as granting temporary permissions or updating existing policies. ensure that the user attaching the policy is authorized to do so and that the action is expected.	t1548 aws elastic
legitimate use of acls to enable customer and staff access from the public internet into a public vpc	t1190 aws sigma
legitimate use of aws systems manager to establish a session to an ec2 instance.	t1021 aws elastic
legitimate use of the `describeinstances` api call by an aws resource that requires information about instances in multiple regions.	t1580 aws elastic
legitimate user account administration	t1098 aws sigma
legitimate users may create ssm command documents for legitimate purposes. ensure that the document is authorized and the user is known before taking action.	aws elastic
legitimate users may have to use ssm to perform actions against machines in the cloud to update or maintain them	t1566 t1566.002 aws sigma
legitimate users may subscribe to sns topics for legitimate purposes. ensure that the subscription is authorized and the subscription email address is known before taking action.	t1567 aws elastic
master password change is a legitimate means to regain access to a db instance in the case of a lost password. ensure that the instance should not be modified in this way before taking action.	t1098 aws elastic
network acl's may be created by a network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. network acl creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1133 aws elastic
network acl's may be deleted by a network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. network acl deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1562 aws elastic
new or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently.	aws elastic
new or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used.	aws elastic
new subnets added requiring routing setup	t1190 aws sigma
new vpc creation requiring setup of a new route table	t1190 aws sigma
new vpcs and subnets being setup requiring a different security profile to those already defined	t1190 aws sigma
privileged iam users with security responsibilities may be expected to make changes to the config service in order to align with local security policies and requirements. automation, orchestration, and security tools may also make changes to the config service, where they are used to automate setup or configuration of aws accounts. other kinds of user or service contexts do not commonly make changes to this service.	t1562 aws elastic
public access is a common configuration used to enable access from outside a private vpc. ensure that the instance should not be modified in this way before taking action.	t1556 aws elastic
rare and unusual errors may indicate an impending service failure state. rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to iam privileges.	aws elastic
repurposing of an elb or alb to serve a different or additional application	t1190 aws sigma
restoring db instances may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. instance restoration by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1578 aws elastic
role chaining can be used as an access control. ensure that this behavior is not part of a legitimate operation before taking action.	t1548 t1550 aws elastic
route table could be modified or deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. route table being modified from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule. also automated processes that use terraform may lead to false positives.	aws elastic
route tables may be created by a system or network administrators. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. route table creation by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule. automated processes that use terraform may lead to false positives.	aws elastic
saml provider being updated from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1078 t1548 t1550 t1550.001 aws sigma
saml provider could be updated by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. saml provider updates by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1484 aws elastic
scheduled tasks or scripts that require information about instances in multiple regions.	t1580 aws elastic
snapshots may be deleted by a system administrator. verify whether the user identity should be making changes in your environment. snapshot deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1485 aws elastic
some organizations allow login with the root user without mfa, however, this is not considered best practice by aws and increases the risk of compromised credentials.	t1078 aws elastic
spikes in error message activity can also be due to bugs in cloud automation scripts or workflows; changes to cloud automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to iam privileges.	aws elastic
suspending the recording of a trail may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail suspensions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1562 aws elastic
system administrator activities	t1486 t1564 t1564.002 t1565 windows aws sigma
system or network administrator behaviors	t1562 aws sigma
task definition being modified to request credentials from the task metadata service for valid reasons	t1525 aws sigma
the deletionprotection feature must be disabled as a prerequisite for deletion of a db instance or cluster. ensure that the instance should not be modified in this way before taking action.	t1485 aws elastic
the guardduty detector may be deleted by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. detector deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1562 aws elastic
there are legitimate uses of ssm to send commands to ec2 instances	t1566 t1566.002 aws sigma
this is an intentional action taken by aws in the event of compromised credentials. follow the instructions specified in the support case created for you regarding this event.	t1552 aws elastic
this is very uncommon behavior and should result in minimal false positives, ensure validity of the triggered event and include exceptions where necessary.	t1021 t1550 aws elastic
traffic mirroring may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. traffic mirroring from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1020 t1074 aws elastic
trail creations may be made by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	T1530 aws elastic
trail deletions may be made by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1562 aws elastic
trail updates may be made by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail updates from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	T1530 t1565 aws elastic
users may legitimately access aws systems manager (ssm) parameters using the getparameter, getparameters, or describeparameters api actions with credentials in the request parameters. ensure that the user has a legitimate reason to access the parameters and that the credentials are secured.	t1555 aws elastic
valid change in a trail	t1562 t1562.001 aws sigma
valid change in aws config service	t1562 t1562.001 aws sigma
valid change in the guardduty (e.g. to ignore internal scanners)	t1562 t1562.001 aws sigma
valid change to a snapshot's permissions	t1537 aws sigma
valid changes to the startup script	t1059 t1059.001 t1059.003 t1059.004 aws sigma
valid clusters may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. cluster creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1133 aws elastic
valid clusters or instances may be stopped by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. cluster or instance stoppages from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1489 aws elastic
valid usage of s3 browser for iam loginprofile listing and/or creation	t1059 t1059.009 t1078 t1078.004 aws sigma
valid usage of s3 browser for iam user and/or accesskey creation	t1059 t1059.009 t1078 t1078.004 aws sigma
valid usage of s3 browser with accidental creation of default inline iam policy without changing default s3 bucket name placeholder value	t1059 t1059.009 t1078 t1078.004 aws sigma
verify if the modification or deletion was performed by an authorized administrator.	t1020 aws sigma
verify the user identity, user agent, and source ip address to ensure they are expected.	t1078 aws sigma
verify whether the user identity should be using the `createstack` or `createstackset` apis. if known behavior is causing false positives, it can be exempted from the rule. the \"history_window_start\" value can be modified to reflect the expected frequency of known activity within a particular environment.	aws elastic
verify whether the user identity should be using the sts `getcalleridentity` api operation. if known behavior is causing false positives, it can be exempted from the rule.	t1087 aws elastic
verify whether the user identity, user agent, and/or hostname should be making changes in your environment. log group deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1485 t1562 aws elastic
verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment. password reset attempts from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1078 aws elastic
verify whether the user identity, user agent, and/or hostname should be using getsecretstring or batchgetsecretvalue apis for the specified secretid. if known behavior is causing false positives, it can be exempted from the rule.	t1555 aws elastic
vm exports may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. vm exports from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1005 t1537 aws elastic
waf rules or rule groups may be deleted by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. rule deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.	t1562 aws elastic
while this can be normal behavior, it should be investigated to ensure validity. verify whether the user identity should be using the iam `attachrolepolicy` api operation to attach the `administratoraccess` policy to the target role.	t1098 aws elastic