while this search has no known false positives, it is possible that an aws admin has legitimately created a login profile for another user.

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

This search looks for AWS CloudTrail events where a user A(victim A) creates a login profile for user B, followed by a AWS Console login event from user B from the same src_ip as user B. This correlated event can be indicative of privilege escalation since both events happened from the same src_ip

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

This analytic identifies AWS DeleteLogGroup events in CloudTrail logs. Attackers may evade the logging capability by deleting the log group in CloudWatch. This will stop sending the logs and metrics to CloudWatch. When the adversary has the right type of permissions within the compromised AWS environment, they may delete the CloudWatch log group that is logging activities in the environment.

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

This search looks for AWS CloudTrail events where a user created a policy version that allows them to access any resource in their account. A widely open AWS IAM policy, especially in the context of creating a new policy version with the CreatePolicyVersion action, typically grants extensive permissions across a broad range of resources. Such policies are considered risky because they can provide more permissions than necessary, violating the principle of least privilege.

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

This detection rule monitors for the creation of AWS Identity and Access Management (IAM) access keys. An IAM access key consists of an access key ID and secret access key, which are used to sign programmatic requests to AWS services. While IAM access keys can be legitimately used by developers and administrators for API access, their creation can also be indicative of malicious activity. Attackers who have gained unauthorized access to an AWS environment might create access keys as a means to establish persistence or to exfiltrate data through the APIs. Moreover, because access keys can be used to authenticate with AWS services without the need for further interaction, they can be particularly appealing for bad actors looking to operate under the radar. Consequently, it’s important to vigilantly monitor and scrutinize access key creation events, especially if they are associated with unusual activity or are created by users who don’t typically perform these actions. This hunting query identifies when a potentially compromised user creates a IAM access key for another user who may have higher privilleges, which can be a sign for privilege escalation. Hunting queries are designed to be executed manual during threat hunting.

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

This search looks for AWS CloudTrail events where a user A who has already permission to update login profile, makes an API call to update login profile for another user B . Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B)

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

ASL AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

This analytic identifies AWS DeleteTrail events within CloudTrail logs. Adversaries often try to impair their target’s defenses by stopping their malicious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may delete the the entire cloudtrail that is logging activities in the environment.

Detection logic

`amazon_security_lake` api.operation=DeleteTrail 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`

AWS Defense Evasion Stop Logging Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

This analytic identifies StopLogging events in CloudTrail logs. Adversaries often try to impair their target’s defenses by stopping their macliious activity from being logged, so that they may operate with stealth and avoid detection. When the adversary has the right type of permissions in the compromised AWS environment, they may easily stop logging.

Detection logic

`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `aws_defense_evasion_stop_logging_cloudtrail_filter`

AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`

T1204

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

ASL AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`amazon_security_lake` api.operation=DeleteTrail 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`

AWS Defense Evasion Stop Logging Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `aws_defense_evasion_stop_logging_cloudtrail_filter`

AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`

AWS Lambda UpdateFunctionCode

source: splunk
technicques:
- T1204

Description

This analytic is designed to detect IAM users attempting to update/modify AWS lambda code via the AWS CLI to gain persistence, futher access into your AWS environment and to facilitate planting backdoors. In this instance, an attacker may upload malicious code/binary to a lambda function which will be executed automatically when the funnction is triggered.

Detection logic

`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode*  errorCode = success  user_type=IAMUser 
| stats  count min(_time) as firstTime max(_time) as lastTime  values(requestParameters.functionName) as function_updated by src_ip user_arn user_agent user_type eventName aws_account_id 
|`aws_lambda_updatefunctioncode_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

ASL AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`amazon_security_lake` api.operation=DeleteTrail 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`

AWS Defense Evasion Stop Logging Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `aws_defense_evasion_stop_logging_cloudtrail_filter`

AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`

T1204

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

ASL AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`amazon_security_lake` api.operation=DeleteTrail 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`

AWS Defense Evasion Stop Logging Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `aws_defense_evasion_stop_logging_cloudtrail_filter`

AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`

AWS Lambda UpdateFunctionCode

source: splunk
technicques:
- T1204

Description

Detection logic

`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode*  errorCode = success  user_type=IAMUser 
| stats  count min(_time) as firstTime max(_time) as lastTime  values(requestParameters.functionName) as function_updated by src_ip user_arn user_agent user_type eventName aws_account_id 
|`aws_lambda_updatefunctioncode_filter`

AWS Defense Evasion Update Cloudtrail

source: splunk
technicques:
- T1562
- T1562.008

Description

This analytic identifies UpdateTrail events in CloudTrail logs. Attackers may evade the logging capability by updating the settings and impairing them with wrong parameters. For example, Attackers may change the multi-regional log into a single region logs, which evades the logging for other regions. When the adversary has the right type of permissions in the compromised AWS environment, they may update the CloudTrail settings that is logging activities in your environment.

Detection logic

`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`

T1201

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

ASL AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`amazon_security_lake` api.operation=DeleteTrail 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`

AWS Defense Evasion Stop Logging Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `aws_defense_evasion_stop_logging_cloudtrail_filter`

AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`

T1204

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

ASL AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`amazon_security_lake` api.operation=DeleteTrail 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`

AWS Defense Evasion Stop Logging Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `aws_defense_evasion_stop_logging_cloudtrail_filter`

AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`

AWS Lambda UpdateFunctionCode

source: splunk
technicques:
- T1204

Description

Detection logic

`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode*  errorCode = success  user_type=IAMUser 
| stats  count min(_time) as firstTime max(_time) as lastTime  values(requestParameters.functionName) as function_updated by src_ip user_arn user_agent user_type eventName aws_account_id 
|`aws_lambda_updatefunctioncode_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

ASL AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`amazon_security_lake` api.operation=DeleteTrail 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`

AWS Defense Evasion Stop Logging Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `aws_defense_evasion_stop_logging_cloudtrail_filter`

AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`

T1204

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

ASL AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`amazon_security_lake` api.operation=DeleteTrail 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`

AWS Defense Evasion Stop Logging Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `aws_defense_evasion_stop_logging_cloudtrail_filter`

AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`

AWS Lambda UpdateFunctionCode

source: splunk
technicques:
- T1204

Description

Detection logic

`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode*  errorCode = success  user_type=IAMUser 
| stats  count min(_time) as firstTime max(_time) as lastTime  values(requestParameters.functionName) as function_updated by src_ip user_arn user_agent user_type eventName aws_account_id 
|`aws_lambda_updatefunctioncode_filter`

AWS Defense Evasion Update Cloudtrail

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`

AWS Password Policy Changes

source: splunk
technicques:
- T1201

Description

This search looks for AWS CloudTrail events where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.

Detection logic

`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success 
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode  awsRegion userIdentity.principalId user_arn src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`  
| `aws_password_policy_changes_filter`

ASL AWS Password Policy Changes

source: splunk
technicques:
- T1201

Description

This search looks for AWS CloudTrail events from Amazon Security Lake where a user is making successful API calls to view/update/delete the existing password policy in an AWS organization. It is unlikely for a regular user to conduct this operation. These events may potentially be malicious, adversaries often use this information to gain more understanding of the password defenses in place and exploit them to increase their attack surface when a user account is compromised.

Detection logic

`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `asl_aws_password_policy_changes_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

ASL AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`amazon_security_lake` api.operation=DeleteTrail 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`

AWS Defense Evasion Stop Logging Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `aws_defense_evasion_stop_logging_cloudtrail_filter`

AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`

T1204

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

ASL AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`amazon_security_lake` api.operation=DeleteTrail 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`

AWS Defense Evasion Stop Logging Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `aws_defense_evasion_stop_logging_cloudtrail_filter`

AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`

AWS Lambda UpdateFunctionCode

source: splunk
technicques:
- T1204

Description

Detection logic

`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode*  errorCode = success  user_type=IAMUser 
| stats  count min(_time) as firstTime max(_time) as lastTime  values(requestParameters.functionName) as function_updated by src_ip user_arn user_agent user_type eventName aws_account_id 
|`aws_lambda_updatefunctioncode_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

ASL AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`amazon_security_lake` api.operation=DeleteTrail 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`

AWS Defense Evasion Stop Logging Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `aws_defense_evasion_stop_logging_cloudtrail_filter`

AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`

T1204

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

ASL AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`amazon_security_lake` api.operation=DeleteTrail 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`

AWS Defense Evasion Stop Logging Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `aws_defense_evasion_stop_logging_cloudtrail_filter`

AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`

AWS Lambda UpdateFunctionCode

source: splunk
technicques:
- T1204

Description

Detection logic

`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode*  errorCode = success  user_type=IAMUser 
| stats  count min(_time) as firstTime max(_time) as lastTime  values(requestParameters.functionName) as function_updated by src_ip user_arn user_agent user_type eventName aws_account_id 
|`aws_lambda_updatefunctioncode_filter`

AWS Defense Evasion Update Cloudtrail

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`

T1201

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

ASL AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`amazon_security_lake` api.operation=DeleteTrail 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`

AWS Defense Evasion Stop Logging Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `aws_defense_evasion_stop_logging_cloudtrail_filter`

AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`

T1204

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

ASL AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`amazon_security_lake` api.operation=DeleteTrail 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`

AWS Defense Evasion Stop Logging Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `aws_defense_evasion_stop_logging_cloudtrail_filter`

AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`

AWS Lambda UpdateFunctionCode

source: splunk
technicques:
- T1204

Description

Detection logic

`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode*  errorCode = success  user_type=IAMUser 
| stats  count min(_time) as firstTime max(_time) as lastTime  values(requestParameters.functionName) as function_updated by src_ip user_arn user_agent user_type eventName aws_account_id 
|`aws_lambda_updatefunctioncode_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

ASL AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`amazon_security_lake` api.operation=DeleteTrail 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`

AWS Defense Evasion Stop Logging Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `aws_defense_evasion_stop_logging_cloudtrail_filter`

AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`

T1204

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

T1530

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

Sample rules

AWS CreateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateLoginProfile 
| rename requestParameters.userName as new_login_profile 
| table src_ip eventName new_login_profile userIdentity.userName  
| join new_login_profile src_ip [
| search `cloudtrail` eventName = ConsoleLogin 
| rename userIdentity.userName  as new_login_profile 
| stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`] 
| `aws_createloginprofile_filter`

ASL AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`amazon_security_lake` api.operation=DeleteLogGroup 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Defense Evasion Delete CloudWatch Log Group

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudwatch_log_group_filter`

AWS Create Policy Version to allow all resources

source: splunk
technicques:
- T1078.004
- T1078

Description

Detection logic

`cloudtrail` eventName=CreatePolicyVersion  eventSource = iam.amazonaws.com errorCode = success 
| spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=effect path=Effect 
| search  effect=Allow 
| regex key_policy_action_1="^(\*
|[\w-]+:\*)$" 
| stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion user user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`aws_create_policy_version_to_allow_all_resources_filter`

ASL AWS CreateAccessKey

source: splunk
technicques:
- T1078

Description

Detection logic

`amazon_security_lake` api.operation=CreateAccessKey http_request.user_agent!=console.amazonaws.com api.response.error=null 
| rename unmapped{}.key as unmapped_key , unmapped{}.value as unmapped_value 
| eval keyjoin=mvzip(unmapped_key,unmapped_value) 
| mvexpand keyjoin 
| rex field=keyjoin "^(?<key>[^,]+),(?<value>.*)$" 
| eval {key} = value 
| search responseElements.accessKey.userName = * 
| rename identity.user.name as identity_user_name, responseElements.accessKey.userName as responseElements_accessKey_userName 
| eval match=if(identity_user_name=responseElements_accessKey_userName,1,0) 
| search match=0 
| rename identity_user_name as identity.user.name , responseElements_accessKey_userName as responseElements.accessKey.userName 
| stats count min(_time) as firstTime max(_time) as lastTime by responseElements.accessKey.userName api.operation api.service.name identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`asl_aws_createaccesskey_filter`

AWS UpdateLoginProfile

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

 `cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.userName user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_updateloginprofile_filter`

AWS CreateAccessKey

source: splunk
technicques:
- T1136.003
- T1136

Description

Detection logic

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success 
| eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) 
| search match=0 
| stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|`aws_createaccesskey_filter`

Detect New Open S3 buckets

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

Detection logic

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl 
| rex field=_raw "(?<json_field>{.+})" 
| spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} 
| search grantees=* 
| mvexpand grantees 
| spath input=grantees output=uri path=Grantee.URI 
| spath input=grantees output=permission path=Permission 
| search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") 
| search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") 
| rename requestParameters.bucketName AS bucketName 
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission bucketName 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_filter`

Detect New Open S3 Buckets over AWS CLI

source: splunk
technicques:
- T1530

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

Detection logic

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter`

ASL AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`amazon_security_lake` api.operation=DeleteTrail 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_defense_evasion_delete_cloudtrail_filter`

AWS Defense Evasion Stop Logging Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `aws_defense_evasion_stop_logging_cloudtrail_filter`

AWS Defense Evasion Delete Cloudtrail

source: splunk
technicques:
- T1562.008
- T1562

Description

Detection logic

`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_delete_cloudtrail_filter`

AWS Lambda UpdateFunctionCode

source: splunk
technicques:
- T1204

Description

Detection logic

`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode*  errorCode = success  user_type=IAMUser 
| stats  count min(_time) as firstTime max(_time) as lastTime  values(requestParameters.functionName) as function_updated by src_ip user_arn user_agent user_type eventName aws_account_id 
|`aws_lambda_updatefunctioncode_filter`

AWS Defense Evasion Update Cloudtrail

source: splunk
technicques:
- T1562
- T1562.008

Description

Detection logic

`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name by src region eventName userAgent user_arn aws_account_id 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_defense_evasion_update_cloudtrail_filter`

AWS Password Policy Changes

source: splunk
technicques:
- T1201

Description

Detection logic

`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success 
| stats count values(eventName) as eventName values(userAgent) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode  awsRegion userIdentity.principalId user_arn src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`  
| `aws_password_policy_changes_filter`

ASL AWS Password Policy Changes

source: splunk
technicques:
- T1201

Description

Detection logic

`amazon_security_lake` "api.service.name"="iam.amazonaws.com" "api.operation" IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") "api.response.error"=null 
| stats count min(_time) as firstTime max(_time) as lastTime by identity.user.account_uid identity.user.credential_uid identity.user.name identity.user.type identity.user.uid identity.user.uuid http_request.user_agent src_endpoint.ip cloud.region 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `asl_aws_password_policy_changes_filter`

AWS SetDefaultPolicyVersion

source: splunk
technicques:
- T1078.004
- T1078

Description

This search looks for AWS CloudTrail events where a user has set a default policy versions. Attackers have been know to use this technique for Privilege Escalation in case the previous versions of the policy had permissions to access more resources than the current version of the policy

Detection logic

`cloudtrail` eventName=SetDefaultPolicyVersion eventSource = iam.amazonaws.com 
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policy_arn by src requestParameters.versionId eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_setdefaultpolicyversion_filter`