LoFP LoFP / aws account

TitleTags
a user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.
a user with successful authentication events from different ips may also represent the legitimate use of more than one device. filter as needed and/or customize the threshold to fit your environment.
administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time.
alse positives may be present based on automated tooling or system administrators. filter as needed.
aws administrators may disable mfa but it is highly unlikely for this event to occur without prior notice to the company
it is possible that a user downloaded these files to use them locally and there are aws services in configured that perform these activities for a legitimate reason. filter is needed.
it is possible that an aws administrator has legitimately created this task for creating backup. please check the `sourcelocationarn` and `destinationlocationarn` of this task
it is possible that an aws administrator has legitimately disabled versioning on certain buckets to avoid costs.
it is possible that an aws administrator or a user has legitimately created this job for some tasks.
it is possible that some accounts do not have mfa enabled for the aws account however its agaisnt the best practices of securing aws.
it is possible to start this detection will need to be tuned by source ip or user. in addition, change the count values to an upper threshold to restrict false positives.
legitimate administrators may delete guardrails as part of normal operations, such as when replacing outdated guardrails with updated versions, cleaning up test resources, or consolidating security controls. consider implementing an allowlist for expected administrators who regularly manage guardrails configurations.
legitimate administrators may delete knowledge bases as part of normal operations, such as when replacing outdated knowledge bases, removing test resources, or consolidating information. consider implementing an allowlist for expected administrators who regularly manage knowledge base configurations.
legitimate administrators may delete model invocation logging configurations during maintenance, when updating logging policies, or when cleaning up unused resources. consider implementing an allowlist for expected administrators who regularly manage logging configurations.
legitimate users may encounter access denied errors during permission testing, role transitions, or when service permissions are being reconfigured. access denials may also happen when automated processes are using outdated credentials or when new bedrock features are being explored.
legitimate users may encounter multiple failures during permission testing, role transitions, or when service permissions are being reconfigured. high volumes of api errors may also occur during automated processes with misconfigured iam policies or when new bedrock features are being explored through api testing.
legitimate users may miss to reply the mfa challenge within the time window or deny it by mistake.
newly onboarded users who are registering an mfa method for the first time will also trigger this detection.
this detection will require tuning to provide high fidelity detection capabilties. tune based on src addresses (corporate offices, vpn terminations) or by groups of users. not every user with aws access should have permission to delete groups (least privilege).
users may genuinely mistype or forget the password.
users may genuinely reset the rds password.
when your development is spreaded in different time zones, applying this rule can be difficult.
while this search has no known false positives, it is possible that an aws admin has stopped cloudtrail logging. please investigate this activity.
while this search has no known false positives, it is possible that it is a legitimate admin activity. please consider filtering out these noisy events using useragent, user_arn field names.
while this search has no known false positives.