LoFP
/
T1530
T1530
Title
Tags
based on the values of`datapointthreshold` and `deviationthreshold`, the false positive rate may vary. please modify this according the your environment.
T1530
s3 bucket
splunk
external account ids or broken automation may trigger this rule. for accessdenied (http 403 forbidden), s3 doesn't charge the bucket owner when the request is initiated outside of the bucket owner's individual aws account or the bucket owner's aws organization.
T1530
t1619
T1657
aws
elastic
gcp storage buckets can be accessed from any ip (if the acls are open to allow it), as long as it can make a successful connection. this will be a false postive, since the search is looking for a new ip within the past two hours.
T1530
gcp storage bucket
splunk
it is possible that certain file access scenarios may trigger this alert, specifically onedrive syncing and users accessing personal onedrives of other users. adjust threshold and filtering as needed.
T1530
t1567
o365 tenant
splunk
it is possible that certain file download scenarios may trigger this alert, specifically onedrive syncing. adjust threshold and filtering as needed.
T1530
t1567
o365 tenant
splunk
it is possible that certain file sync scenarios may trigger this alert, specifically onenote. adjust threshold and filtering as needed.
T1530
t1567
o365 tenant
splunk
legitimate users may download files from onedrive using oauth authentication. ensure that the downloads are authorized and the user is known before taking action.
T1530
o365
elastic
legitimate users may scan dynamodb tables for various reasons, such as data analysis or application functionality. ensure that the user has the necessary permissions and that the scan operation is authorized before taking action.
T1530
t1567
aws
elastic
legitimate users may subscribe to sns topics for legitimate purposes. ensure that the subscription is authorized before taking action.
t1496
T1530
t1567
aws
elastic
s3 buckets can be accessed from any ip, as long as it can make a successful connection. this will be a false postive, since the search is looking for a new ip within the past hour
T1530
s3 bucket
splunk
storage administrators may legitimately enable public access for specific business requirements such as hosting public content or cdn integration. verify that the configuration change was expected and follows organizational policies. consider exceptions for approved storage accounts.
T1530
azure
elastic
subscription creations may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. subscription creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
T1530
gcp
elastic
topic creations may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. topic creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
T1530
gcp
elastic
trail creations may be made by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
T1530
aws
elastic
trail updates may be made by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail updates from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
T1530
t1565
aws
elastic
while this search has no known false positives, it is possible that a gcp admin has legitimately created a public bucket for a specific purpose. that said, gcp strongly advises against granting full control to the \"allusers\" group.
T1530
gcp storage bucket
splunk