Techniques
Sample rules
AWS S3 Bucket Enumeration or Brute Force
- source: elastic
- technicques:
- T1530
- T1619
- T1657
Description
Identifies a high number of failed S3 operations against a single bucket from a single source address within a short timeframe. This activity can indicate attempts to collect bucket objects or cause an increase in billing to an account via internal “AccessDenied” errors.
Detection logic
event.dataset: "aws.cloudtrail" and
event.provider : "s3.amazonaws.com" and
aws.cloudtrail.error_code : "AccessDenied" and
tls.client.server_name : *