Techniques
Sample rules
AWS SNS Topic Created by Rare User
- source: elastic
- technicques:
- T1496
- T1608
Description
Identifies when an SNS topic is created by a user who does not typically perform this action. Adversaries may create SNS topics to stage capabilities for data exfiltration or other malicious activities. This is a New Terms rule that only flags when this behavior is observed for the first time by a user or role.
Detection logic
event.dataset: "aws.cloudtrail"
and event.provider: "sns.amazonaws.com"
and event.action: "CreateTopic"
and event.outcome: "success"