|
Detect Web Access to Decommissioned S3 Bucket
|
AWS Cloudfront
|
T1485
|
Anomaly
|
Data Destruction, AWS S3 Bucket Security Monitoring
|
2026-05-13
|
|
AWS Defense Evasion Impair Security Services
|
AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteRuleGroup, AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteWebACL, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteLoggingConfiguration, AWS CloudTrail DeleteRule
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
ASL AWS IAM Successful Group Deletion
|
ASL AWS CloudTrail
|
T1069.003
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
AWS SAML Update identity provider
|
AWS CloudTrail UpdateSAMLProvider
|
T1078
|
TTP
|
Cloud Federated Credential Abuse
|
2026-05-13
|
|
ASL AWS IAM AccessDenied Discovery Events
|
ASL AWS CloudTrail
|
T1580
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
ASL AWS Disable Bucket Versioning
|
ASL AWS CloudTrail
|
T1490
|
Anomaly
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2026-05-13
|
|
ASL AWS ECR Container Upload Unknown User
|
ASL AWS CloudTrail
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
AWS Multiple Failed MFA Requests For User
|
AWS CloudTrail ConsoleLogin
|
T1586.003
T1621
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
AWS Network Access Control List Created with All Open Ports
|
AWS CloudTrail CreateNetworkAclEntry, AWS CloudTrail ReplaceNetworkAclEntry
|
T1686.001
|
TTP
|
AWS Network ACL Activity
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen IP Address
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Detect AWS Console Login by New User
|
AWS CloudTrail
|
T1552
T1586.003
|
Hunting
|
Suspicious Cloud Authentication Activities, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
ASL AWS New MFA Method Registered For User
|
ASL AWS CloudTrail
|
T1556.006
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
AWS Excessive Security Scanning
|
AWS CloudTrail
|
T1526
|
TTP
|
AWS User Monitoring
|
2026-05-13
|
|
AWS ECR Container Upload Outside Business Hours
|
AWS CloudTrail PutImage
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
ASL AWS ECR Container Upload Outside Business Hours
|
ASL AWS CloudTrail
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
AWS Exfiltration via Bucket Replication
|
AWS CloudTrail PutBucketReplication
|
T1537
|
TTP
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen City
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Detect Spike in AWS Security Hub Alerts for User
|
AWS Security Hub
|
N/A
|
Anomaly
|
AWS Security Hub Alerts, Critical Alerts
|
2026-05-13
|
|
ASL AWS Defense Evasion Delete CloudWatch Log Group
|
ASL AWS CloudTrail
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
ASL AWS UpdateLoginProfile
|
ASL AWS CloudTrail
|
T1136.003
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
AWS Console Login Failed During MFA Challenge
|
AWS CloudTrail ConsoleLogin
|
T1586.003
T1621
|
TTP
|
Compromised User Account, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
AWS Lambda UpdateFunctionCode
|
AWS CloudTrail
|
T1204
|
Hunting
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
ASL AWS Detect Users creating keys with encrypt policy without MFA
|
ASL AWS CloudTrail
|
T1486
|
TTP
|
Ransomware Cloud
|
2026-05-13
|
|
Detect Spike in AWS Security Hub Alerts for EC2 Instance
|
AWS Security Hub
|
N/A
|
Anomaly
|
AWS Security Hub Alerts, Critical Alerts
|
2026-05-13
|
|
AWS Concurrent Sessions From Different Ips
|
AWS CloudTrail DescribeEventAggregates
|
T1185
|
TTP
|
Scattered Lapsus$ Hunters, Compromised User Account, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
AWS ECR Container Scanning Findings Low Informational Unknown
|
AWS CloudTrail DescribeImageScanFindings
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
AWS Credential Access Failed Login
|
AWS CloudTrail ConsoleLogin
|
T1110.001
T1586.003
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
AWS Exfiltration via EC2 Snapshot
|
AWS CloudTrail DescribeSnapshotAttribute, AWS CloudTrail DeleteSnapshot, AWS CloudTrail ModifySnapshotAttribute, AWS CloudTrail CreateSnapshot
|
T1537
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2026-05-13
|
|
AWS IAM AccessDenied Discovery Events
|
AWS CloudTrail
|
T1580
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
Detect Spike in blocked Outbound Traffic from your AWS
|
|
N/A
|
Anomaly
|
Command And Control, Suspicious AWS Traffic, AWS Network ACL Activity
|
2026-05-13
|
|
AWS Bedrock Delete Model Invocation Logging Configuration
|
AWS CloudTrail DeleteModelInvocationLoggingConfiguration
|
T1685.002
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
Cloud Compute Instance Created By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Cloud Cryptomining
|
2026-05-13
|
|
ASL AWS Multi-Factor Authentication Disabled
|
ASL AWS CloudTrail
|
T1556.006
T1586.003
T1621
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
AWS Defense Evasion Update Cloudtrail
|
AWS CloudTrail UpdateTrail
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
AWS IAM Assume Role Policy Brute Force
|
AWS CloudTrail
|
T1110
T1580
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
AWS Network Access Control List Deleted
|
AWS CloudTrail DeleteNetworkAclEntry
|
T1686.001
|
Anomaly
|
AWS Network ACL Activity
|
2026-05-13
|
|
ASL AWS Create Access Key
|
ASL AWS CloudTrail
|
T1136.003
|
Hunting
|
AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
AWS ECR Container Scanning Findings Medium
|
AWS CloudTrail DescribeImageScanFindings
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
AWS Successful Single-Factor Authentication
|
AWS CloudTrail ConsoleLogin
|
T1078.004
T1586.003
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
AWS CreateLoginProfile
|
AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateLoginProfile
|
T1136.003
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
AWS Bedrock Delete Knowledge Base
|
AWS CloudTrail DeleteKnowledgeBase
|
T1485
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
AWS Exfiltration via Anomalous GetObject API Activity
|
AWS CloudTrail GetObject
|
T1119
|
Anomaly
|
Data Exfiltration
|
2026-05-13
|
|
AWS Credential Access RDS Password reset
|
AWS CloudTrail ModifyDBInstance
|
T1110
T1586.003
|
TTP
|
Scattered Lapsus$ Hunters, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
ASL AWS Network Access Control List Created with All Open Ports
|
ASL AWS CloudTrail
|
T1686.001
|
TTP
|
AWS Network ACL Activity
|
2026-05-13
|
|
AWS Detect Users with KMS keys performing encryption S3
|
AWS CloudTrail
|
T1486
|
Anomaly
|
Ransomware Cloud
|
2026-05-13
|
|
ASL AWS Defense Evasion Update Cloudtrail
|
ASL AWS CloudTrail
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
AWS EC2 Snapshot Shared Externally
|
AWS CloudTrail ModifySnapshotAttribute
|
T1537
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2026-05-13
|
|
AWS Disable Bucket Versioning
|
AWS CloudTrail PutBucketVersioning
|
T1490
|
Anomaly
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2026-05-13
|
|
AWS Defense Evasion Delete CloudWatch Log Group
|
AWS CloudTrail DeleteLogGroup
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
Detect New Open S3 buckets
|
AWS CloudTrail
|
T1530
|
TTP
|
Suspicious AWS S3 Activities
|
2026-05-13
|
|
AWS Credential Access GetPasswordData
|
AWS CloudTrail GetPasswordData
|
T1110.001
T1586.003
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
ASL AWS Defense Evasion Stop Logging Cloudtrail
|
ASL AWS CloudTrail
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
ASL AWS Concurrent Sessions From Different Ips
|
ASL AWS CloudTrail
|
T1185
|
Anomaly
|
Scattered Lapsus$ Hunters, Compromised User Account, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
AWS SetDefaultPolicyVersion
|
AWS CloudTrail SetDefaultPolicyVersion
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
AWS Detect Users creating keys with encrypt policy without MFA
|
AWS CloudTrail CreateKey, AWS CloudTrail PutKeyPolicy
|
T1486
|
TTP
|
Ransomware Cloud
|
2026-05-13
|
|
AWS Multiple Users Failing To Authenticate From Ip
|
AWS CloudTrail ConsoleLogin
|
T1110.003
T1110.004
|
Anomaly
|
Compromised User Account, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
ASL AWS Credential Access RDS Password reset
|
ASL AWS CloudTrail
|
T1110
T1586.003
|
TTP
|
Scattered Lapsus$ Hunters, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
AWS Successful Console Authentication From Multiple IPs
|
AWS CloudTrail ConsoleLogin
|
T1535
T1586
|
Anomaly
|
Compromised User Account, Suspicious AWS Login Activities
|
2026-05-13
|
|
ASL AWS Credential Access GetPasswordData
|
ASL AWS CloudTrail
|
T1110.001
T1586.003
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
AWS Exfiltration via Batch Service
|
AWS CloudTrail JobCreated
|
T1119
|
TTP
|
Data Exfiltration
|
2026-05-13
|
|
AWS ECR Container Upload Unknown User
|
AWS CloudTrail PutImage
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
AWS Bedrock Delete GuardRails
|
AWS CloudTrail DeleteGuardrail
|
T1685.002
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
ASL AWS Defense Evasion Impair Security Services
|
ASL AWS CloudTrail
|
T1685.002
|
Hunting
|
AWS Defense Evasion
|
2026-05-13
|
|
AWS High Number Of Failed Authentications For User
|
AWS CloudTrail ConsoleLogin
|
T1201
|
Anomaly
|
Compromised User Account, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
AWS UpdateLoginProfile
|
AWS CloudTrail UpdateLoginProfile
|
T1136.003
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Detect AWS Console Login by User from New Region
|
AWS CloudTrail
|
T1535
T1586.003
|
Hunting
|
Compromised User Account, Suspicious Cloud Authentication Activities, AWS Identity and Access Management Account Takeover, Suspicious AWS Login Activities
|
2026-05-13
|
|
Cloud Compute Instance Created In Previously Unused Region
|
AWS CloudTrail
|
T1535
|
Anomaly
|
Cloud Cryptomining
|
2026-05-13
|
|
ASL AWS Network Access Control List Deleted
|
ASL AWS CloudTrail
|
T1686.001
|
Anomaly
|
Scattered Lapsus$ Hunters, AWS Network ACL Activity
|
2026-05-13
|
|
Cloud Compute Instance Created With Previously Unseen Instance Type
|
AWS CloudTrail
|
T1578.002
|
Anomaly
|
Cloud Cryptomining
|
2026-05-13
|
|
ASL AWS IAM Delete Policy
|
ASL AWS CloudTrail
|
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
AWS AMI Attribute Modification for Exfiltration
|
AWS CloudTrail ModifyImageAttribute
|
T1537
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen Country
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
AWS S3 Exfiltration Behavior Identified
|
|
T1537
|
Correlation
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2026-05-13
|
|
Detect AWS Console Login by User from New City
|
AWS CloudTrail
|
T1535
T1586.003
|
Hunting
|
Compromised User Account, Suspicious Cloud Authentication Activities, AWS Identity and Access Management Account Takeover, Suspicious AWS Login Activities
|
2026-05-13
|
|
AWS Defense Evasion Delete Cloudtrail
|
AWS CloudTrail DeleteTrail
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
ASL AWS EC2 Snapshot Shared Externally
|
ASL AWS CloudTrail
|
T1537
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2026-05-13
|
|
AWS IAM Delete Policy
|
AWS CloudTrail DeletePolicy
|
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
AWS Unusual Number of Failed Authentications From Ip
|
AWS CloudTrail ConsoleLogin
|
T1110.003
T1110.004
T1586.003
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Cloud Compute Instance Created With Previously Unseen Image
|
AWS CloudTrail
|
N/A
|
Anomaly
|
Cloud Cryptomining
|
2026-05-13
|
|
Detect New Open S3 Buckets over AWS CLI
|
AWS CloudTrail
|
T1530
|
TTP
|
Suspicious AWS S3 Activities
|
2026-05-13
|
|
AWS High Number Of Failed Authentications From Ip
|
AWS CloudTrail ConsoleLogin
|
T1110.003
T1110.004
|
Anomaly
|
Compromised User Account, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
AWS Create Policy Version to allow all resources
|
AWS CloudTrail CreatePolicyVersion
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Cloud Instance Modified By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2026-05-13
|
|
AWS New MFA Method Registered For User
|
AWS CloudTrail CreateVirtualMFADevice
|
T1556.006
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
AWS Defense Evasion PutBucketLifecycle
|
AWS CloudTrail PutBucketLifecycle
|
T1485.001
T1685.002
|
Hunting
|
AWS Defense Evasion
|
2026-05-13
|
|
AWS IAM Failure Group Deletion
|
AWS CloudTrail DeleteGroup
|
T1098
|
Anomaly
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
AWS Defense Evasion Stop Logging Cloudtrail
|
AWS CloudTrail StopLogging
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
AWS ECR Container Scanning Findings High
|
AWS CloudTrail DescribeImageScanFindings
|
T1204.003
|
TTP
|
Dev Sec Ops
|
2026-05-13
|
|
Detect AWS Console Login by User from New Country
|
AWS CloudTrail
|
T1535
T1586.003
|
Hunting
|
Compromised User Account, Suspicious Cloud Authentication Activities, AWS Identity and Access Management Account Takeover, Suspicious AWS Login Activities
|
2026-05-13
|
|
ASL AWS Create Policy Version to allow all resources
|
ASL AWS CloudTrail
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
AWS Exfiltration via DataSync Task
|
AWS CloudTrail CreateTask
|
T1119
|
TTP
|
Hellcat Ransomware, Data Exfiltration, Suspicious AWS S3 Activities
|
2026-05-13
|
|
Cloud API Calls From Previously Unseen User Roles
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
ASL AWS Defense Evasion PutBucketLifecycle
|
ASL AWS CloudTrail
|
T1485.001
T1685.002
|
Hunting
|
AWS Defense Evasion
|
2026-05-13
|
|
AWS Bedrock Invoke Model Access Denied
|
AWS CloudTrail
|
T1078
T1550
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
AWS Password Policy Changes
|
AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy
|
T1201
|
Hunting
|
AWS IAM Privilege Escalation, Compromised User Account
|
2026-05-13
|
|
ASL AWS Defense Evasion Delete Cloudtrail
|
ASL AWS CloudTrail
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
AWS IAM Successful Group Deletion
|
AWS CloudTrail DeleteGroup
|
T1069.003
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Detect Spike in S3 Bucket deletion
|
AWS CloudTrail
|
T1530
|
Anomaly
|
Suspicious AWS S3 Activities
|
2026-05-13
|
|
ASL AWS SAML Update identity provider
|
ASL AWS CloudTrail
|
T1078
|
TTP
|
Cloud Federated Credential Abuse
|
2026-05-13
|
|
AWS Multi-Factor Authentication Disabled
|
AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DeactivateMFADevice
|
T1556.006
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
ASL AWS IAM Failure Group Deletion
|
ASL AWS CloudTrail
|
T1098
|
Anomaly
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen Region
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Cloud Security Groups Modifications by User
|
AWS CloudTrail
|
T1578.005
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
ASL AWS IAM Assume Role Policy Brute Force
|
ASL AWS CloudTrail
|
T1110
T1580
|
TTP
|
AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
AWS CreateAccessKey
|
AWS CloudTrail CreateAccessKey
|
T1136.003
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
AWS Bedrock High Number List Foundation Model Failures
|
AWS CloudTrail
|
T1580
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
Internal Horizontal Port Scan NMAP Top 20
|
Cisco Secure Firewall Threat Defense Connection Event, AWS CloudWatchLogs VPCflow
|
T1046
|
TTP
|
China-Nexus Threat Activity, Scattered Lapsus$ Hunters, Cisco Secure Firewall Threat Defense Analytics, Network Discovery
|
2026-05-13
|
|
Internal Horizontal Port Scan
|
Cisco Secure Firewall Threat Defense Connection Event, AWS CloudWatchLogs VPCflow
|
T1046
|
TTP
|
China-Nexus Threat Activity, Scattered Lapsus$ Hunters, Cisco Secure Firewall Threat Defense Analytics, Network Discovery
|
2026-05-13
|
|
Internal Vertical Port Scan
|
Cisco Secure Firewall Threat Defense Connection Event, AWS CloudWatchLogs VPCflow
|
T1046
|
TTP
|
China-Nexus Threat Activity, Scattered Lapsus$ Hunters, Cisco Secure Firewall Threat Defense Analytics, Network Discovery
|
2026-05-13
|
