LoFP LoFP / T1530

T1530

TitleTags
a user may generate a shared access link to encryption key files to share with others. it is unlikely that the intended recipient is an external or anonymous user.
automated scripts or processes that use azcopy for routine data transfers from azure storage accounts.
azure arc system components may create or update secrets and configmaps in the azure-arc and azure-arc-release namespaces during normal cluster management. filter by namespace to exclude these.
based on the values of`datapointthreshold` and `deviationthreshold`, the false positive rate may vary. please modify this according the your environment.
devops or it teams performing authorized data transfers or downloads from azure storage using azcopy.
external account ids or broken automation may trigger this rule. for accessdenied (http 403 forbidden), s3 doesn't charge the bucket owner when the request is initiated outside of the bucket owner's individual aws account or the bucket owner's aws organization.
gcp storage buckets can be accessed from any ip (if the acls are open to allow it), as long as it can make a successful connection. this will be a false postive, since the search is looking for a new ip within the past two hours.
helm operations managed through arc may create release secrets (prefixed with sh.helm.release.v1). these are normal arc lifecycle operations.
hr or finance personnel legitimately searching for employee or financial records.
it administrators searching for configuration or infrastructure documentation.
it administrators using pnp powershell for site management, migration, or backup operations.
it is possible that certain file access scenarios may trigger this alert, specifically onedrive syncing and users accessing personal onedrives of other users. adjust threshold and filtering as needed.
it is possible that certain file download scenarios may trigger this alert, specifically onedrive syncing. adjust threshold and filtering as needed.
it is possible that certain file sync scenarios may trigger this alert, specifically onenote. adjust threshold and filtering as needed.
legal teams searching for contract or privileged documents.
legitimate automation scripts using powershell to interact with sharepoint or onedrive for business purposes.
legitimate changes to share an s3 bucket with an external account may be identified as false positives.
legitimate configuration exports may occur during normal administrative activities. these events should be verified and investigated.
legitimate data migration or backup operations using azcopy with sas tokens may trigger this rule.
legitimate security scanners, cspm products, compliance jobs, and inventory automation may call the same read-only bucket apis across many buckets quickly. verify the principal arn, source ip, user agent, and schedule against known approved tooling before treating the activity as malicious.
legitimate users may download files from onedrive using oauth authentication. ensure that the downloads are authorized and the user is known before taking action.
legitimate users may scan dynamodb tables for various reasons, such as data analysis or application functionality. ensure that the user has the necessary permissions and that the scan operation is authorized before taking action.
legitimate users may subscribe to sns topics for legitimate purposes. ensure that the subscription is authorized before taking action.
s3 buckets can be accessed from any ip, as long as it can make a successful connection. this will be a false postive, since the search is looking for a new ip within the past hour
security or compliance teams using ediscovery or content search for legitimate investigations.
some organizations may have legitimate use cases for s3 browser or cyberduck, particularly in development, data migration, or backup scenarios. verify whether the iam principal, source network, and accessed buckets align with approved workflows. unexpected activity from these clients, especially accessing sensitive buckets, should be investigated.
storage administrators may legitimately enable public access for specific business requirements such as hosting public content or cdn integration. verify that the configuration change was expected and follows organizational policies. consider exceptions for approved storage accounts.
subscription creations may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. subscription creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
this rule does not differentiate by itself whether the same policy also includes deny statements that restrict public access. if a policy includes both effect=allow and effect=deny with principal:\"*\", this rule may still trigger. such cases should be manually analyzed to verify whether the deny statement effectively negates the public exposure.
topic creations may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. topic creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
trail creations may be made by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
trail updates may be made by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail updates from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
vm export and ec2 image creation may be done by system administrators, devops or migration teams as part of planned maintenance, disaster-recovery or known backup methods. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. exports from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
while this search has no known false positives, it is possible that a gcp admin has legitimately created a public bucket for a specific purpose. that said, gcp strongly advises against granting full control to the \"allusers\" group.
while this search has no known false positives, it is possible that an aws admin has legitimately created a public bucket for a specific purpose. that said, aws strongly advises against granting full control to the \"all users\" group.