LoFP / legitimate users may subscribe to sns topics for legitimate purposes. ensure that the subscription is authorized and the subscription email address is known before taking action.

Techniques

• T1567

Sample rules

AWS SNS Email Subscription by Rare User

• source: elastic
• technicques:
  • T1567

Description

Identifies when an SNS topic is subscribed to by an email address of a user who does not typically perform this action. Adversaries may subscribe to an SNS topic to collect sensitive information or exfiltrate data via an external email address.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "sns.amazonaws.com"
    and event.action: "Subscribe"
    and aws.cloudtrail.request_parameters: *protocol=email*