legitimate operations such as new user onboarding, role changes, or service account updates may trigger this event. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. user additions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

t1098
aws
elastic

Techniques

T1098

Sample rules

AWS IAM User Addition to Group

source: elastic
technicques:
- T1098

Description

Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM). Any user added to a group automatically gains the permissions that are assigned to the group. If the target group carries elevated or admin privileges, this action can instantly grant high-risk permissions useful for credential misuse, lateral movement, or privilege escalation.

Detection logic

event.dataset: aws.cloudtrail and 
    event.provider: iam.amazonaws.com and 
    event.action: AddUserToGroup and 
    event.outcome: success