Techniques
Sample rules
AWS Excessive Security Scanning
- source: splunk
- technicques:
- T1526
Description
This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment.
Detection logic
`cloudtrail` eventName=Describe* OR eventName=List* OR eventName=Get*
| stats dc(eventName) as dc_events min(_time) as firstTime max(_time) as lastTime values(eventName) as command values(src) as src values(userAgent) as userAgent by user userIdentity.arn
| where dc_events > 50
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_excessive_security_scanning_filter`
ASL AWS Excessive Security Scanning
- source: splunk
- technicques:
- T1526
Description
This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment.
Detection logic
`amazon_security_lake` api.operation=Describe* OR api.operation=List* OR api.operation=Get*
| stats dc(api.operation) as dc_api_operations min(_time) as firstTime max(_time) as lastTime values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region values(identity.user.account_uid) as identity.user.account_uid by identity.user.name
| where dc_api_operations > 50
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_excessive_security_scanning_filter`