known or internal account ids or automation

T1530
t1580
T1657
aws
elastic

Techniques

T1530
T1580
T1657

Sample rules

AWS S3 Bucket Enumeration or Brute Force

source: elastic
technicques:
- T1530
- T1580
- T1657

Description

Identifies a high number of failed S3 operations from a single source and account (or anonymous account) within a short timeframe. This activity can be indicative of attempting to cause an increase in billing to an account for excessive random operations, cause resource exhaustion, or enumerating bucket names for discovery.

Detection logic

from logs-aws.cloudtrail*
| where event.provider == "s3.amazonaws.com" and aws.cloudtrail.error_code == "AccessDenied"
// keep only relevant fields
| keep tls.client.server_name, source.address, cloud.account.id
| stats failed_requests = count(*) by tls.client.server_name, source.address, cloud.account.id
  // can modify the failed request count or tweak time window to fit environment
  // can add `not cloud.account.id in (KNOWN)` or specify in exceptions
| where failed_requests > 40