Techniques
Sample rules
AWS SNS Topic Created by Rare User
- source: elastic
- technicques:
- T1608
Description
Identifies when an SNS topic is created by a user who does not typically perform this action. Adversaries may create SNS topics to stage capabilities for data exfiltration or other malicious activities.
Detection logic
event.dataset: "aws.cloudtrail"
and event.provider: "sns.amazonaws.com"
and event.action: "CreateTopic"
and event.outcome: "success"
and aws.cloudtrail.user_identity.type: "AssumedRole"
and aws.cloudtrail.user_identity.arn: *i-*