LoFP LoFP / legitimate users may create sns topics for legitimate purposes. ensure that the creation is authorized before taking action.

Techniques

Sample rules

AWS SNS Topic Created by Rare User

Description

Identifies when an SNS topic is created by a user who does not typically perform this action. Adversaries may create SNS topics to stage capabilities for data exfiltration or other malicious activities. This is a New Terms rule that only flags when this behavior is observed for the first time by a user or role.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "sns.amazonaws.com"
    and event.action: "CreateTopic"
    and event.outcome: "success"