Techniques
Sample rules
AWS Systems Manager SecureString Parameter Request with Decryption Flag
- source: elastic
- technicques:
- T1555
Description
Detects the first occurrence of a user identity accessing AWS Systems Manager (SSM) SecureString parameters using the GetParameter or GetParameters API actions with credentials in the request parameters. This could indicate that the user is accessing sensitive information. This rule detects when a user accesses a SecureString parameter with the withDecryption parameter set to true. This is a New Terms rule that detects the first occurrence of an AWS identity accessing SecureString parameters with decryption.
Detection logic
event.dataset: aws.cloudtrail
and event.provider: "ssm.amazonaws.com"
and event.action: (GetParameters or GetParameter)
and event.outcome: success
and aws.cloudtrail.flattened.request_parameters.withDecryption: true
and not source.address: (
"cloudformation.amazonaws.com" or
"servicecatalog.amazonaws.com"
)