GitHub Repo

Data Source: ASL AWS CloudTrail

Date: 2025-01-23

ID: 1dcf9cfb-0e91-44c6-81b3-61b2574ec898

Author: Patrick Bareiss, Splunk

Description

Represents AWS API dataset data collection from Amazon Security Lake.

Details

Property Value
Source aws_asl
Sourcetype aws:asl
Separator api.operation
Name ▲▼ Technique ▲▼ Type ▲▼
ASL AWS Concurrent Sessions From Different Ips Browser Session Hijacking Anomaly
ASL AWS Create Access Key Cloud Account Hunting
ASL AWS Create Policy Version to allow all resources Cloud Accounts TTP
ASL AWS Credential Access GetPasswordData Password Guessing, Cloud Accounts Anomaly
ASL AWS Credential Access RDS Password reset Brute Force, Cloud Accounts TTP
ASL AWS Defense Evasion Delete Cloudtrail Disable or Modify Cloud Logs TTP
ASL AWS Defense Evasion Delete CloudWatch Log Group Disable or Modify Cloud Logs TTP
ASL AWS Defense Evasion Impair Security Services Disable or Modify Cloud Logs Hunting
ASL AWS Defense Evasion PutBucketLifecycle Lifecycle-Triggered Deletion, Disable or Modify Cloud Logs Hunting
ASL AWS Defense Evasion Stop Logging Cloudtrail Disable or Modify Cloud Logs TTP
ASL AWS Defense Evasion Update Cloudtrail Disable or Modify Cloud Logs TTP
ASL AWS Detect Users creating keys with encrypt policy without MFA Data Encrypted for Impact TTP
ASL AWS Disable Bucket Versioning Inhibit System Recovery Anomaly
ASL AWS EC2 Snapshot Shared Externally Transfer Data to Cloud Account TTP
ASL AWS ECR Container Upload Outside Business Hours Malicious Image Anomaly
ASL AWS ECR Container Upload Unknown User Malicious Image Anomaly
ASL AWS IAM AccessDenied Discovery Events Cloud Infrastructure Discovery Anomaly
ASL AWS IAM Assume Role Policy Brute Force Cloud Infrastructure Discovery, Brute Force TTP
ASL AWS IAM Delete Policy Account Manipulation Hunting
ASL AWS IAM Failure Group Deletion Account Manipulation Anomaly
ASL AWS IAM Successful Group Deletion Cloud Groups, Account Manipulation Hunting
ASL AWS Multi-Factor Authentication Disabled Multi-Factor Authentication, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
ASL AWS Network Access Control List Created with All Open Ports Disable or Modify Cloud Firewall TTP
ASL AWS Network Access Control List Deleted Disable or Modify Cloud Firewall Anomaly
ASL AWS New MFA Method Registered For User Multi-Factor Authentication TTP
ASL AWS SAML Update identity provider Valid Accounts TTP
ASL AWS UpdateLoginProfile Cloud Account TTP

Supported Apps

Required Output Fields

  • dest

  • user

  • user_agent

  • src

  • vendor_account

  • vendor_region

  • vendor_product

Source: GitHub | Version: 2