Techniques
Sample rules
AWS IAM AccessDenied Discovery Events
- source: splunk
- technicques:
- T1580
Description
The following detection identifies excessive AccessDenied events within an hour timeframe. It is possible that an access key to AWS may have been stolen and is being misused to perform discovery events. In these instances, the access is not available with the key stolen therefore these events will be generated.
Detection logic
`cloudtrail` (errorCode = "AccessDenied") user_type=IAMUser (userAgent!=*.amazonaws.com)
| bucket _time span=1h
| stats count as failures min(_time) as firstTime max(_time) as lastTime, dc(eventName) as methods, dc(eventSource) as sources by src_ip, userIdentity.arn, _time
| where failures >= 5 and methods >= 1 and sources >= 1
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_iam_accessdenied_discovery_events_filter`