LoFP LoFP / T1530

T1530

TitleTags
a user may generate a shared access link to encryption key files to share with others. it is unlikely that the intended recipient is an external or anonymous user.
automated scripts or processes that use azcopy for routine data transfers from azure storage accounts.
azure arc system components may create or update secrets and configmaps in the azure-arc and azure-arc-release namespaces during normal cluster management. filter by namespace to exclude these.
devops or it teams performing authorized data transfers or downloads from azure storage using azcopy.
external account ids or broken automation may trigger this rule. for accessdenied (http 403 forbidden), s3 doesn't charge the bucket owner when the request is initiated outside of the bucket owner's individual aws account or the bucket owner's aws organization.
helm operations managed through arc may create release secrets (prefixed with sh.helm.release.v1). these are normal arc lifecycle operations.
hr or finance personnel legitimately searching for employee or financial records.
it administrators searching for configuration or infrastructure documentation.
it administrators using pnp powershell for site management, migration, or backup operations.
legal teams searching for contract or privileged documents.
legitimate automation scripts using powershell to interact with sharepoint or onedrive for business purposes.
legitimate changes to share an s3 bucket with an external account may be identified as false positives.
legitimate ci/cd pipelines, infrastructure tooling, or configuration management systems may retrieve secret files from s3 as part of their normal operation. validate the calling identity, user agent, and source ip against known automation accounts and expected access patterns.
legitimate data migration or backup operations using azcopy with sas tokens may trigger this rule.
legitimate security scanners, cspm products, compliance jobs, and inventory automation may call the same read-only bucket apis across many buckets quickly. verify the principal arn, source ip, user agent, and schedule against known approved tooling before treating the activity as malicious.
legitimate users may download files from onedrive using oauth authentication. ensure that the downloads are authorized and the user is known before taking action.
legitimate users may scan dynamodb tables for various reasons, such as data analysis or application functionality. ensure that the user has the necessary permissions and that the scan operation is authorized before taking action.
legitimate users may subscribe to sns topics for legitimate purposes. ensure that the subscription is authorized before taking action.
security or compliance teams using ediscovery or content search for legitimate investigations.
some organizations may have legitimate use cases for s3 browser or cyberduck, particularly in development, data migration, or backup scenarios. verify whether the iam principal, source network, and accessed buckets align with approved workflows. unexpected activity from these clients, especially accessing sensitive buckets, should be investigated.
storage administrators may legitimately enable public access for specific business requirements such as hosting public content or cdn integration. verify that the configuration change was expected and follows organizational policies. consider exceptions for approved storage accounts.
subscription creations may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. subscription creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
this rule does not differentiate by itself whether the same policy also includes deny statements that restrict public access. if a policy includes both effect=allow and effect=deny with principal:\"*\", this rule may still trigger. such cases should be manually analyzed to verify whether the deny statement effectively negates the public exposure.
topic creations may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. topic creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
trail creations may be made by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
trail updates may be made by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail updates from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
vm export and ec2 image creation may be done by system administrators, devops or migration teams as part of planned maintenance, disaster-recovery or known backup methods. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. exports from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.