LoFP LoFP / development or deployment pipelines that update static frontends frequently (e.g., react/vue apps) may trigger this. verify the user agent, source ip, and whether the modification was expected.

Techniques

Sample rules

AWS S3 Static Site JavaScript File Uploaded

Description

This rule detects when a JavaScript file is uploaded or accessed in an S3 static site directory (static/js/) by an IAM user or assumed role. This can indicate suspicious modification of web content hosted on S3, such as injecting malicious scripts into a static website frontend.

Detection logic

from logs-aws.cloudtrail* metadata _id, _version, _index

| where
    // S3 object read/write activity
    event.dataset == "aws.cloudtrail"
    and event.provider == "s3.amazonaws.com"
    and event.action in ("GetObject", "PutObject")

    // IAM users or assumed roles only
    and aws.cloudtrail.user_identity.type in ("IAMUser", "AssumedRole")

    // Requests for static site bundles
    and aws.cloudtrail.request_parameters like "*static/js/*.js*"

    // Exclude IaC and automation tools
    and not (
        user_agent.original like "*Terraform*"
        or user_agent.original like "*Ansible*"
        or user_agent.original like "*Pulumni*"
    )

// Extract fields from request parameters
| dissect aws.cloudtrail.request_parameters
    "%{{?bucket.name.key}=%{Esql.aws_cloudtrail_request_parameters_bucket_name}, %{?host.key}=%{Esql_priv.aws_cloudtrail_request_parameters_host}, %{?bucket.object.location.key}=%{Esql.aws_cloudtrail_request_parameters_bucket_object_location}}"

// Extract file name portion from full object path
| dissect Esql.aws_cloudtrail_request_parameters_object_location "%{}static/js/%{Esql.aws_cloudtrail_request_parameters_object_key}"

// Match on JavaScript files
| where ends_with(Esql.aws_cloudtrail_request_parameters_object_key, ".js")

// Retain relevant ECS and dissected fields
| keep
    aws.cloudtrail.user_identity.arn,
    aws.cloudtrail.user_identity.access_key_id,
    aws.cloudtrail.user_identity.type,
    aws.cloudtrail.request_parameters,
    Esql.aws_cloudtrail_request_parameters_bucket_name,
    Esql.aws_cloudtrail_request_parameters_object_key,
    user_agent.original,
    source.ip,
    event.action,
    @timestamp