LoFP LoFP / known or internal account ids or automation

Techniques

Sample rules

AWS S3 Bucket Enumeration or Brute Force

Description

Identifies a high number of failed S3 operations from a single source and account (or anonymous account) within a short timeframe. This activity can be indicative of attempting to cause an increase in billing to an account for excessive random operations, cause resource exhaustion, or enumerating bucket names for discovery.

Detection logic

from logs-aws.cloudtrail*

| where
  event.provider == "s3.amazonaws.com"
  and aws.cloudtrail.error_code == "AccessDenied"
  and tls.client.server_name is not null
  and cloud.account.id is not null

// keep only relevant ECS fields
| keep
  tls.client.server_name,
  source.address,
  cloud.account.id

// count access denied requests per server_name, source, and account
| stats
    Esql.event_count = count(*)
  by
    tls.client.server_name,
    source.address,
    cloud.account.id

// Threshold: more than 40 denied requests
| where Esql.event_count > 40