LoFP
/
s3 bucket
Title
Tags
based on the values of`datapointthreshold` and `deviationthreshold`, the false positive rate may vary. please modify this according the your environment.
T1530
s3 bucket
splunk
s3 buckets can be accessed from any ip, as long as it can make a successful connection. this will be a false postive, since the search is looking for a new ip within the past hour
T1530
s3 bucket
splunk
some applications or web pages may continue to reference old s3 bucket urls after they have been decommissioned. these should be investigated and updated to prevent potential security risks.
t1485
s3 bucket
splunk
there maybe buckets provisioned with s3 encryption
t1486
s3 bucket
splunk
while this search has no known false positives, it is possible that an aws admin has legitimately created a public bucket for a specific purpose. that said, aws strongly advises against granting full control to the \"all users\" group.
T1530
s3 bucket
splunk
LoFP
/
s3 bucket