LoFP LoFP / aws account

TitleTags
a user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.
a user with successful authentication events from different ips may also represent the legitimate use of more than one device. filter as needed and/or customize the threshold to fit your environment.
administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time.
alse positives may be present based on automated tooling or system administrators. filter as needed.
attach to policy can create a lot of noise. this search can be adjusted to provide specific values to identify cases of abuse (i.e status=failure). the search can provide context for common users attaching themselves to higher privilege policies or even newly created policies.
aws administrators may disable mfa but it is highly unlikely for this event to occur without prior notice to the company
createrole is not very common in common users. this search can be adjusted to provide specific values to identify cases of abuse. in general aws provides plenty of trust policies that fit most use cases.
it is possible that a user downloaded these files to use them locally and there are aws services in configured that perform these activities for a legitimate reason. filter is needed.
it is possible that an aws administrator has legitimately created this task for creating backup. please check the `sourcelocationarn` and `destinationlocationarn` of this task
it is possible that an aws administrator has legitimately disabled versioning on certain buckets to avoid costs.
it is possible that an aws administrator or a user has legitimately created this job for some tasks.
it is possible that some accounts do not have mfa enabled for the aws account however its agaisnt the best practices of securing aws.
it is possible to start this detection will need to be tuned by source ip or user. in addition, change the count values to an upper threshold to restrict false positives.
legitimate users may miss to reply the mfa challenge within the time window or deny it by mistake.
newly onboarded users who are registering an mfa method for the first time will also trigger this detection.
not all permanent key creations are malicious. if there is a policy of rotating keys this search can be adjusted to provide better context.
sts:assumerole can be very noisy as it is a standard mechanism to provide cross account and cross resources access. this search can be adjusted to provide specific values to identify cases of abuse.
sts:getsessiontoken can be very noisy as in certain environments numerous calls of this type can be executed. this search can be adjusted to provide specific values to identify cases of abuse. in specific environments the use of field requestparameters.serialnumber will need to be used.
this detection will require tuning to provide high fidelity detection capabilties. tune based on src addresses (corporate offices, vpn terminations) or by groups of users. not every user with aws access should have permission to delete groups (least privilege).
users may genuinely mistype or forget the password.
users may genuinely reset the rds password.
when your development is spreaded in different time zones, applying this rule can be difficult.
while this search has no known false positives, it is possible that an aws admin has stopped cloudtrail logging. please investigate this activity.
while this search has no known false positives, it is possible that it is a legitimate admin activity. please consider filtering out these noisy events using useragent, user_arn field names.
while this search has no known false positives.