LoFP
/
aws account
Title
Tags
a user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.
t1110.001
t1201
aws account
azure tenant
splunk
a user with successful authentication events from different ips may also represent the legitimate use of more than one device. filter as needed and/or customize the threshold to fit your environment.
t1110.001
T1110.003
T1535
t1586
aws account
azure tenant
splunk
administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time.
t1110.001
t1586.003
aws account
splunk
alse positives may be present based on automated tooling or system administrators. filter as needed.
t1537
aws account
splunk
aws administrators may disable mfa but it is highly unlikely for this event to occur without prior notice to the company
t1556.006
t1586.003
t1621
aws account
splunk
it is possible that a user downloaded these files to use them locally and there are aws services in configured that perform these activities for a legitimate reason. filter is needed.
t1119
aws account
splunk
it is possible that an aws administrator has legitimately created this task for creating backup. please check the `sourcelocationarn` and `destinationlocationarn` of this task
t1119
aws account
splunk
it is possible that an aws administrator has legitimately disabled versioning on certain buckets to avoid costs.
t1490
aws account
splunk
it is possible that an aws administrator or a user has legitimately created this job for some tasks.
t1119
aws account
splunk
it is possible that some accounts do not have mfa enabled for the aws account however its agaisnt the best practices of securing aws.
t1078.004
t1586.003
aws account
splunk
it is possible to start this detection will need to be tuned by source ip or user. in addition, change the count values to an upper threshold to restrict false positives.
t1580
aws account
splunk
legitimate administrators may delete guardrails as part of normal operations, such as when replacing outdated guardrails with updated versions, cleaning up test resources, or consolidating security controls. consider implementing an allowlist for expected administrators who regularly manage guardrails configurations.
T1562.008
aws account
splunk
legitimate administrators may delete knowledge bases as part of normal operations, such as when replacing outdated knowledge bases, removing test resources, or consolidating information. consider implementing an allowlist for expected administrators who regularly manage knowledge base configurations.
t1485
aws account
splunk
legitimate administrators may delete model invocation logging configurations during maintenance, when updating logging policies, or when cleaning up unused resources. consider implementing an allowlist for expected administrators who regularly manage logging configurations.
T1562.008
aws account
splunk
legitimate users may encounter access denied errors during permission testing, role transitions, or when service permissions are being reconfigured. access denials may also happen when automated processes are using outdated credentials or when new bedrock features are being explored.
t1078
t1550
aws account
splunk
legitimate users may encounter multiple failures during permission testing, role transitions, or when service permissions are being reconfigured. high volumes of api errors may also occur during automated processes with misconfigured iam policies or when new bedrock features are being explored through api testing.
t1580
aws account
splunk
legitimate users may miss to reply the mfa challenge within the time window or deny it by mistake.
t1078.004
t1586.003
t1621
google cloud platform tenant
aws account
splunk
newly onboarded users who are registering an mfa method for the first time will also trigger this detection.
t1556.006
azure active directory
aws account
splunk
this detection will require tuning to provide high fidelity detection capabilties. tune based on src addresses (corporate offices, vpn terminations) or by groups of users. not every user with aws access should have permission to delete groups (least privilege).
t1069.003
t1098
aws account
splunk
users may genuinely mistype or forget the password.
t1110.001
t1586.003
aws account
splunk
users may genuinely reset the rds password.
t1110
t1586.003
aws account
splunk
when your development is spreaded in different time zones, applying this rule can be difficult.
T1204.003
aws account
splunk
while this search has no known false positives, it is possible that an aws admin has stopped cloudtrail logging. please investigate this activity.
T1562.008
aws account
splunk
while this search has no known false positives, it is possible that it is a legitimate admin activity. please consider filtering out these noisy events using useragent, user_arn field names.
T1485.001
T1562.008
aws account
splunk
while this search has no known false positives.
t1526
aws account
splunk