LoFP LoFP / t1537

t1537

TitleTags
a new transport rule may be created by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
a s3 configuration change may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. s3 configuration change from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a transport rule may be modified by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
allowed administrative activities.
alse positives may be present based on automated tooling or system administrators. filter as needed.
ami sharing is a common practice in aws environments. ensure that the sharing is authorized before taking action.
authorization rule additions or modifications may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. authorization rule additions or modifications from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
bucket replication accross accounts is a legitimate practice in some aws environments. ensure that the sharing is authorized before taking action.
db snapshot sharing is a common practice in aws environments. ensure that the sharing is authorized before taking action.
iam users may occasionally share ec2 snapshots with another aws account belonging to the same organization. if known behavior is causing false positives, it can be exempted from the rule.
it is possible that an aws admin has legitimately implemented data replication to ensure data availability and improve data protection/backup strategies.
it is possible that an aws admin has legitimately shared a snapshot with an other account for a specific purpose. please check any recent change requests filed in your organization.
it is possible that an aws admin has legitimately shared a snapshot with others for a specific purpose.
legitimate changes to share an s3 bucket with an external account may be identified as false positive but are not best practice.
logging sink modifications may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. sink modifications from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
this behavior may seen in normal transfer of file within network if network share is common place for sharing documents.
valid change to a snapshot's permissions
vm exports may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. vm exports from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.