GitHub Repo

Data Source: AWS CloudTrail

Date: 2024-07-24

ID: e8ace6db-1dbd-4c72-a1fb-334684619a38

Author: Patrick Bareiss, Splunk

Description

All AWS CloudTrail events

Details

Property Value
Source aws_cloudtrail
Sourcetype aws:cloudtrail
Separator eventName
Name ▲▼ Technique ▲▼ Type ▲▼
AWS Bedrock High Number List Foundation Model Failures Cloud Infrastructure Discovery TTP
AWS Bedrock Invoke Model Access Denied Valid Accounts, Use Alternate Authentication Material TTP
AWS Detect Users with KMS keys performing encryption S3 Data Encrypted for Impact Anomaly
AWS Excessive Security Scanning Cloud Service Discovery TTP
AWS IAM AccessDenied Discovery Events Cloud Infrastructure Discovery Anomaly
AWS IAM Assume Role Policy Brute Force Cloud Infrastructure Discovery, Brute Force TTP
AWS Lambda UpdateFunctionCode User Execution Hunting
Cloud API Calls From Previously Unseen User Roles Valid Accounts Anomaly
Cloud Compute Instance Created By Previously Unseen User Cloud Accounts Anomaly
Cloud Compute Instance Created In Previously Unused Region Unused/Unsupported Cloud Regions Anomaly
Cloud Compute Instance Created With Previously Unseen Image None Anomaly
Cloud Compute Instance Created With Previously Unseen Instance Type Create Cloud Instance Anomaly
Cloud Instance Modified By Previously Unseen User Cloud Accounts Anomaly
Cloud Provisioning Activity From Previously Unseen City Valid Accounts Anomaly
Cloud Provisioning Activity From Previously Unseen Country Valid Accounts Anomaly
Cloud Provisioning Activity From Previously Unseen IP Address Valid Accounts Anomaly
Cloud Provisioning Activity From Previously Unseen Region Valid Accounts Anomaly
Cloud Security Groups Modifications by User Modify Cloud Compute Configurations Anomaly
Detect AWS Console Login by New User Unsecured Credentials, Cloud Accounts Hunting
Detect AWS Console Login by User from New City Unused/Unsupported Cloud Regions, Cloud Accounts Hunting
Detect AWS Console Login by User from New Country Unused/Unsupported Cloud Regions, Cloud Accounts Hunting
Detect AWS Console Login by User from New Region Unused/Unsupported Cloud Regions, Cloud Accounts Hunting
Detect New Open S3 buckets Data from Cloud Storage TTP
Detect New Open S3 Buckets over AWS CLI Data from Cloud Storage TTP
Detect Spike in S3 Bucket deletion Data from Cloud Storage Anomaly
Abnormally High Number Of Cloud Infrastructure API Calls Cloud Accounts Anomaly
Abnormally High Number Of Cloud Instances Destroyed Cloud Accounts Anomaly
Abnormally High Number Of Cloud Instances Launched Cloud Accounts Anomaly
Abnormally High Number Of Cloud Security Group API Calls Cloud Accounts Anomaly

Supported Apps

Source: GitHub | Version: 1