AWS coverage
977 AWS detection rules across 6 vendors covering 767 (eventSource, eventName) pairs.
AWS API activity is recorded in CloudTrail, where every record carries an eventSource (the service endpoint that handled the call, such as iam.amazonaws.com) and an eventName (the specific API action, such as CreateUser). The (eventSource, eventName) pair is the unit a detection keys on, so this page groups the combined Sigma, Elastic, Sentinel, and Chronicle corpora by that pair. Each pair maps to a catalog entry under the AWS catalog.
Management events (control-plane API calls) are logged by default; data events (object-level operations such as S3 GetObject or Lambda Invoke) appear only when a trail is explicitly configured to capture them. Rules covering data events still attribute here, but their telemetry is not collected unless data-event logging is turned on. Rules that filter only on a wildcard eventName or only on eventSource cannot resolve to one pair and are grouped under (unattributed) or (any event).
"datasync.amazonaws.com"
CreateTask 1 rule
"guardduty.amazonaws.com"
"DeleteDetector" 1 rule
"DeleteIPSet" 1 rule
"DeleteLoggingConfiguration" 1 rule
"DeleteRule" 1 rule
"DeleteRuleGroup" 1 rule
"DeleteWebACL" 1 rule
"rds.amazonaws.com"
ModifyDBInstance 1 rule
"route53.amazonaws.com"
"DeleteDetector" 1 rule
"DeleteIPSet" 1 rule
"DeleteLoggingConfiguration" 1 rule
"DeleteRule" 1 rule
"DeleteRuleGroup" 1 rule
"DeleteWebACL" 1 rule
"s3.amazonaws.com"
PutBucketAcl 1 rule
"waf.amazonaws.com"
"DeleteDetector" 1 rule
"DeleteIPSet" 1 rule
"DeleteLoggingConfiguration" 1 rule
"DeleteRule" 1 rule
"DeleteRuleGroup" 1 rule
"DeleteWebACL" 1 rule
"wafv2.amazonaws.com"
"DeleteDetector" 1 rule
"DeleteIPSet" 1 rule
"DeleteLoggingConfiguration" 1 rule
"DeleteRule" 1 rule
"DeleteRuleGroup" 1 rule
"DeleteWebACL" 1 rule
account.amazonaws.com
EnableRegion 1 rule
bedrock.amazonaws.com
AssociateAgentCollaborator 1 rule
AssociateAgentKnowledgeBase 1 rule
Converse 1 rule
ConverseStream 1 rule
CreateAgent 1 rule
CreateAgentActionGroup 1 rule
CreateAgentAlias 1 rule
CreateCustomModelDeployment 1 rule
CreateDataSource 1 rule
CreateFoundationModelAgreement 2 rules
CreateMarketplaceModelEndpoint 1 rule
CreateModelImportJob 1 rule
CreateProvisionedModelThroughput 1 rule
DeleteAutomatedReasoningPolicy 1 rule
DeleteDataSource 1 rule
DeleteEnforcedGuardrailConfiguration 1 rule
DeleteGuardrail 3 rules
DeleteKnowledgeBase 2 rules
DeleteKnowledgeBaseDocuments 1 rule
DeleteModelInvocationLoggingConfiguration 3 rules
DeleteProvisionedModelThroughput 1 rule
DeleteResourcePolicy 2 rules
IngestKnowledgeBaseDocuments 1 rule
InvokeModel 2 rules
InvokeModelWithResponseStream 1 rule
ListFoundationModels 2 rules
PrepareAgent 1 rule
PutEnforcedGuardrailConfiguration 1 rule
PutFoundationModelEntitlement 2 rules
PutModelInvocationLoggingConfiguration 1 rule
PutResourcePolicy 2 rules
PutUseCaseForModelAccess 2 rules
RegisterMarketplaceModelEndpoint 1 rule
StartIngestionJob 1 rule
UpdateAgent 1 rule
UpdateAgentActionGroup 1 rule
UpdateAgentAlias 1 rule
UpdateAgentCollaborator 1 rule
UpdateAgentKnowledgeBase 1 rule
UpdateAutomatedReasoningPolicy 1 rule
UpdateAutomatedReasoningPolicyAnnotations 1 rule
UpdateDataSource 1 rule
UpdateGuardrail 2 rules
UpdateKnowledgeBase 1 rule
UpdateProvisionedModelThroughput 1 rule
cloudformation.amazonaws.com
CreateStack 1 rule
CreateStackInstances 1 rule
cloudfront.amazonaws.com
(any event) 1 rule
cloudshell.amazonaws.com
CreateEnvironment 1 rule
cloudtrail.amazonaws.com
CreateTrail 1 rule
DeleteTrail 5 rules
DescribeDBInstances 1 rule
DescribeDBSnapshots 1 rule
DescribeInstances 1 rule
DescribeRegions 1 rule
DescribeSecurityGroups 1 rule
DescribeTrails 1 rule
DescribeVpcs 1 rule
GetAccountSummary 1 rule
GetCallerIdentity 1 rule
ListAccessKeys 1 rule
ListAccountAliases 1 rule
ListAliases 1 rule
ListBuckets 1 rule
ListFunctions 1 rule
ListGroups 1 rule
ListMFADevices 1 rule
ListRoles 1 rule
ListTables 1 rule
ListUsers 1 rule
LookupEvents 1 rule
StopLogging 5 rules
UpdateTrail 5 rules
config.amazonaws.com
DeleteConfigRule 1 rule
DeleteConfigurationAggregator 1 rule
DeleteConfigurationRecorder 1 rule
DeleteConformancePack 1 rule
DeleteDeliveryChannel 2 rules
DeleteOrganizationConfigRule 1 rule
DeleteOrganizationConformancePack 1 rule
DeleteRemediationConfiguration 1 rule
DeleteRetentionConfiguration 1 rule
StopConfigurationRecorder 2 rules
dynamodb.amazonaws.com
DescribeDBInstances 1 rule
DescribeDBSnapshots 1 rule
DescribeInstances 1 rule
DescribeRegions 1 rule
DescribeSecurityGroups 1 rule
DescribeTrails 1 rule
DescribeVpcs 1 rule
ExportTableToPointInTime 1 rule
GetAccountSummary 1 rule
GetCallerIdentity 1 rule
ListAccessKeys 1 rule
ListAccountAliases 1 rule
ListAliases 1 rule
ListBuckets 1 rule
ListFunctions 1 rule
ListGroups 1 rule
ListMFADevices 1 rule
ListRoles 1 rule
ListTables 1 rule
ListUsers 1 rule
LookupEvents 1 rule
Scan 1 rule
(any event) 1 rule
ec2-instance-connect.amazonaws.com
SendSerialConsoleSSHPublicKey 1 rule
SendSSHPublicKey 1 rule
ec2.amazonaws.com
AssociateIamInstanceProfile 2 rules
AssociateInstanceEventWindow 1 rule
AuthorizeSecurityGroupEgress 2 rules
AuthorizeSecurityGroupIngress 4 rules
BundleInstance 1 rule
CancelSpotInstanceRequests 1 rule
ConfirmProductInstance 1 rule
CopyFpgaImage 1 rule
CopyImage 1 rule
CreateFpgaImage 1 rule
CreateImage 1 rule
CreateInstanceEventWindow 1 rule
CreateInstanceExportTask 3 rules
CreateKeyPair 1 rule
CreateNetworkAcl 1 rule
CreateNetworkAclEntry 2 rules
CreateRestoreImageTask 1 rule
CreateRoute 2 rules
CreateRouteTable 1 rule
CreateSecurityGroup 1 rule
CreateStoreImageTask 2 rules
CreateTrafficMirrorFilter 1 rule
CreateTrafficMirrorFilterRule 1 rule
CreateTrafficMirrorSession 2 rules
CreateTrafficMirrorTarget 1 rule
DeleteFlowLogs 1 rule
DeleteInstanceEventWindow 1 rule
DeleteNetworkAcl 1 rule
DeleteNetworkAclEntry 1 rule
DeleteRoute 1 rule
DeleteRouteTable 1 rule
DeleteTrafficMirrorFilter 1 rule
DeleteTrafficMirrorFilterRule 1 rule
DeleteTrafficMirrorSession 1 rule
DeleteTrafficMirrorTarget 1 rule
DeregisterInstanceEventNotificationAttributes 1 rule
DescribeDBInstances 1 rule
DescribeDBSnapshots 1 rule
DescribeImages 1 rule
DescribeInstanceAttribute 1 rule
DescribeInstances 2 rules
DescribeRegions 1 rule
DescribeSecurityGroups 1 rule
DescribeTrails 1 rule
DescribeVpcs 1 rule
DisableEbsEncryptionByDefault 3 rules
DisassociateIamInstanceProfile 1 rule
DisassociateInstanceEventWindow 1 rule
DisassociateRouteTable 1 rule
EnableSerialConsoleAccess 1 rule
ExportImage 1 rule
GetAccountSummary 1 rule
GetCallerIdentity 1 rule
GetPasswordData 4 rules
ImportImage 1 rule
ImportInstance 1 rule
ImportKeyPair 1 rule
ListAccessKeys 1 rule
ListAccountAliases 1 rule
ListAliases 1 rule
ListBuckets 1 rule
ListFunctions 1 rule
ListGroups 1 rule
ListMFADevices 1 rule
ListRoles 1 rule
ListTables 1 rule
ListUsers 1 rule
LookupEvents 1 rule
ModifyImageAttribute 1 rule
ModifyInstanceAttribute 4 rules
ModifyInstanceCapacityReservationAttributes 1 rule
ModifyInstanceCreditSpecification 1 rule
ModifyInstanceEventStartTime 1 rule
ModifyInstanceEventWindow 1 rule
ModifyInstanceMaintenanceOptions 1 rule
ModifyInstanceMetadataOptions 1 rule
ModifyInstancePlacement 1 rule
ModifySecurityGroupRules 1 rule
ModifySnapshotAttribute 1 rule
ModifyTrafficMirrorFilterNetworkServices 1 rule
ModifyTrafficMirrorFilterRule 1 rule
ModifyTrafficMirrorSession 1 rule
MonitorInstances 1 rule
RegisterInstanceEventNotificationAttributes 1 rule
ReplaceIamInstanceProfile 1 rule
ReplaceRoute 1 rule
ReplaceRouteTableAssociation 1 rule
ReportInstanceStatus 1 rule
RequestSpotInstances 1 rule
ResetInstanceAttribute 1 rule
RevokeSecurityGroupEgress 2 rules
RevokeSecurityGroupIngress 2 rules
RunInstances 2 rules
RunScheduledInstances 1 rule
StartInstances 2 rules
StopInstances 2 rules
TerminateInstances 1 rule
UnmonitorInstances 1 rule
ecr.amazonaws.com
BatchCheckLayerAvailability 1 rule
BatchDeleteImage 1 rule
BatchGetImage 1 rule
CompleteLayerUpload 1 rule
CreateRepository 1 rule
DeleteRepository 1 rule
DeleteRepositoryPolicy 1 rule
DescribeImageScanFindings 3 rules
GetAuthorizationToken 1 rule
GetDownloadUrlForLayer 1 rule
GetRepositoryPolicy 1 rule
InitiateLayerUpload 1 rule
PutImage 3 rules
SetRepositoryPolicy 1 rule
UploadLayerPart 1 rule
(any event) 1 rule
ecs.amazonaws.com
DescribeTaskDefinition 1 rule
RegisterTaskDefinition 1 rule
RunTask 1 rule
eks.amazonaws.com
AssociateAccessPolicy 2 rules
CreateAccessEntry 1 rule
CreateCluster 1 rule
DeleteAccessEntry 1 rule
DeleteCluster 1 rule
DisassociateAccessPolicy 1 rule
UpdateAccessEntry 1 rule
UpdateClusterConfig 1 rule
elasticache.amazonaws.com
AuthorizeCacheSecurityGroupEgress 1 rule
AuthorizeCacheSecurityGroupIngress 1 rule
CreateCacheSecurityGroup 1 rule
DeleteCacheSecurityGroup 1 rule
RevokeCacheSecurityGroupEgress 1 rule
RevokeCacheSecurityGroupIngress 1 rule
elasticfilesystem.amazonaws.com
DeleteFileSystem 2 rules
DeleteMountTarget 1 rule
elasticloadbalancing.amazonaws.com
ApplySecurityGroupsToLoadBalancer 1 rule
SetSecurityGroups 1 rule
(any event) 1 rule
events.amazonaws.com
DeleteRule 1 rule
DisableRule 1 rule
glue.amazonaws.com
CreateDevEndpoint 1 rule
DeleteDevEndpoint 1 rule
UpdateDevEndpoint 1 rule
guardduty.amazonaws.com
CreateIPSet 2 rules
DeleteDetector 2 rules
DeleteInvitations 1 rule
DeleteMembers 1 rule
DisassociateFromAdministratorAccount 1 rule
DisassociateMembers 1 rule
StopMonitoringMembers 1 rule
UpdateDetector 1 rule
UpdateIPSet 1 rule
iam.amazonaws.com
AddRoleToInstanceProfile 2 rules
AddUserToGroup 3 rules
AssumeRoleWithSAML 1 rule
AttachGroupPolicy 5 rules
AttachRolePolicy 7 rules
- AWS Compromised IAM Key Quarantine
- AWS IAM AdministratorAccess Policy Attached to Role
- AWS IAM Customer-Managed Policy Attached to Role by Rare User
- AWS IAM Sensitive Operations via Lambda Execution Role
- AWS Sensitive IAM Operations Performed via CloudShell
- IAM Admin Policy Attached
- IAM Policy Attachment Attempt
AttachUserPolicy 6 rules
ChangePassword 1 rule
CreateAccessKey 9 rules
- AWS IAM Backdoor Users Keys
- AWS IAM S3Browser User or AccessKey Creation
- AWS IAM Sensitive Operations via Lambda Execution Role
- AWS IAM User Created Access Keys For Another User
- AWS Sensitive IAM Operations Performed via CloudShell
- AWS User API Key Created
- High-Risk Cross-Cloud User Impersonation
- IAM Access Key Created
- IAM Access Key Creation Attempt
CreateGroup 2 rules
CreateInstanceProfile 2 rules
CreateLoginProfile 5 rules
CreateMailUser 1 rule
CreateOpenIDConnectProvider 1 rule
CreateOrganization 1 rule
CreatePolicyVersion 2 rules
CreateRole 3 rules
CreateSAMLProvider 2 rules
CreateServiceSpecificCredential 1 rule
CreateUser 7 rules
CreateVirtualMFADevice 2 rules
DeactivateMFADevice 1 rule
DeleteAccessKey 1 rule
DeleteGroup 4 rules
DeleteGroupPolicy 1 rule
DeleteLoginProfile 3 rules
DeleteRole 1 rule
DeleteSAMLProvider 2 rules
DeleteServiceSpecificCredential 1 rule
DeleteUser 1 rule
DescribeAvailabilityZones 1 rule
DescribeCluster 1 rule
DescribeDBInstances 1 rule
DescribeDBSnapshots 1 rule
DescribeImages 1 rule
DescribeInstances 2 rules
DescribeNetworkInterfaces 1 rule
DescribeOrganization 1 rule
DescribeOrgnanizationalUnit 1 rule
DescribeRegions 2 rules
DescribeRepositories 1 rule
DescribeResourcePolicy 1 rule
DescribeSecurityGroups 2 rules
DescribeSubnets 1 rule
DescribeTable 1 rule
DescribeTrails 2 rules
DescribeVolumes 1 rule
DescribeVpcs 2 rules
DisableMailUsers 1 rule
EnableMailUsers 1 rule
EnableMFADevice 1 rule
GetAccountAuthorizationDetails 1 rule
GetAccountSummary 2 rules
GetBucketAcl 1 rule
GetBucketPolicy 1 rule
GetCallerIdentity 2 rules
GetCredentialReport 1 rule
GetGroup 1 rule
GetGroupPolicy 1 rule
GetLoginProfile 1 rule
GetPolicy 1 rule
GetPolicyVersion 1 rule
GetRole 1 rule
GetRolePolicy 1 rule
GetSessionToken 1 rule
GetTrailStatus 1 rule
GetUser 1 rule
GetUserPolicy 1 rule
ListAccessKeys 2 rules
ListAccountAliases 2 rules
ListAccounts 1 rule
ListAccountsForParent 1 rule
ListAliases 1 rule
ListAttachedGroupPolicies 1 rule
ListAttachedRolePolicies 1 rule
ListAttachedUserPolicies 1 rule
ListAWSServiceAccessForOrganization 1 rule
ListBuckets 2 rules
ListClusters 1 rule
ListDelegatedAdministrators 1 rule
ListDelegatedServicesForAccount 1 rule
ListFunctions 2 rules
ListGroupPolicies 1 rule
ListGroups 3 rules
ListGroupsForUser 1 rule
ListMFADevices 1 rule
ListOrganizationalUnitsForParent 1 rule
ListPolicies 1 rule
ListQueues 1 rule
ListRepositories 1 rule
ListRoles 3 rules
ListRoots 1 rule
ListServiceQuotas 1 rule
ListServices 1 rule
ListTables 2 rules
ListTopics 1 rule
ListTrails 1 rule
ListUserPolicies 1 rule
ListUsers 3 rules
LookupEvents 2 rules
PutRolePolicy 2 rules
PutUserPolicy 3 rules
RegisterToWorkMail 1 rule
RemoveUserFromGroup 1 rule
ResetPassword 1 rule
SetDefaultMailDomain 1 rule
SetDefaultPolicyVersion 2 rules
SetMailUserDetails 1 rule
UpdateAccountEmailAddress 1 rule
UpdateAssumeRolePolicy 2 rules
UpdateLoginProfile 3 rules
UpdateSAMLProvider 3 rules
UploadServerCertificate 1 rule
identitystore.amazonaws.com
AddUserToGroup 1 rule
ChangePassword 1 rule
CreateAccessKey 1 rule
CreateGroup 1 rule
CreateMailUser 1 rule
CreateOrganization 1 rule
CreateRole 1 rule
CreateServiceSpecificCredential 1 rule
CreateUser 1 rule
CreateVirtualMFADevice 1 rule
DeleteAccessKey 1 rule
DeleteGroup 1 rule
DeleteGroupPolicy 1 rule
DeleteLoginProfile 1 rule
DeleteRole 1 rule
DeleteServiceSpecificCredential 1 rule
DeleteUser 1 rule
DisableMailUsers 1 rule
EnableMailUsers 1 rule
RegisterToWorkMail 1 rule
RemoveUserFromGroup 1 rule
ResetPassword 1 rule
SetDefaultMailDomain 1 rule
SetMailUserDetails 1 rule
UpdateAccountEmailAddress 1 rule
UploadServerCertificate 1 rule
kms.amazonaws.com
DeleteImportedKeyMaterial 1 rule
DescribeDBInstances 1 rule
DescribeDBSnapshots 1 rule
DescribeInstances 1 rule
DescribeRegions 1 rule
DescribeSecurityGroups 1 rule
DescribeTrails 1 rule
DescribeVpcs 1 rule
DisableKey 1 rule
GetAccountSummary 1 rule
GetCallerIdentity 1 rule
ImportKeyMaterial 1 rule
ListAccessKeys 1 rule
ListAccountAliases 1 rule
ListAliases 1 rule
ListBuckets 1 rule
ListFunctions 1 rule
ListGroups 1 rule
ListMFADevices 1 rule
ListRoles 1 rule
ListTables 1 rule
ListUsers 1 rule
LookupEvents 1 rule
PutKeyPolicy 1 rule
ScheduleKeyDeletion 1 rule
lambda.amazonaws.com
AddPermission 1 rule
AddPermission20150331 1 rule
AddPermission20150331v2 1 rule
CreateAlias 1 rule
CreateEventSourceMapping 1 rule
CreateFunction 1 rule
CreateFunctionUrlConfig 1 rule
DeleteAlias 1 rule
DeleteEventSourceMapping 1 rule
DeleteFunction 1 rule
DescribeDBInstances 1 rule
DescribeDBSnapshots 1 rule
DescribeInstances 1 rule
DescribeRegions 1 rule
DescribeSecurityGroups 1 rule
DescribeTrails 1 rule
DescribeVpcs 1 rule
GetAccountSummary 1 rule
GetCallerIdentity 1 rule
ListAccessKeys 1 rule
ListAccountAliases 1 rule
ListAliases 1 rule
ListBuckets 1 rule
ListFunctions 1 rule
ListGroups 1 rule
ListMFADevices 1 rule
ListRoles 1 rule
ListTables 1 rule
ListUsers 1 rule
LookupEvents 1 rule
PublishVersion 1 rule
RemovePermission 1 rule
UpdateAlias 1 rule
UpdateEventSourceMapping 1 rule
UpdateFunctionCode 1 rule
UpdateFunctionCode* 1 rule
UpdateFunctionConfiguration 1 rule
UpdateFunctionConfiguration20150331v2 1 rule
logs.amazonaws.com
DeleteLogGroup 2 rules
DeleteLogStream 1 rule
monitoring.amazonaws.com
DeleteAlarms 1 rule
organizations.amazonaws.com
DescribeOrganization 1 rule
DescribeOrgnanizationalUnit 1 rule
DescribeResourcePolicy 1 rule
GetAccountSummary 1 rule
ListAccountAliases 1 rule
ListAccounts 1 rule
ListAccountsForParent 1 rule
ListAWSServiceAccessForOrganization 1 rule
ListDelegatedAdministrators 1 rule
ListDelegatedServicesForAccount 1 rule
ListOrganizationalUnitsForParent 1 rule
ListPolicies 1 rule
ListRoots 1 rule
(any event) 1 rule
rds.amazonaws.com
AddRoleToDBCluster 1 rule
AddRoleToDBInstance 1 rule
AuthorizeDBSecurityGroupIngress 2 rules
CopyDBClusterSnapshot 1 rule
CopyDBSnapshot 1 rule
CreateDBCluster 1 rule
CreateDBClusterSnapshot 1 rule
CreateDBInstance 1 rule
CreateDBSecurityGroup 1 rule
CreateDBSnapshot 2 rules
DeleteDBCluster 3 rules
DeleteDBClusterAutomatedBackup 1 rule
DeleteDBClusterSnapshot 2 rules
DeleteDBInstance 2 rules
DeleteDBInstanceAutomatedBackup 1 rule
DeleteDBSecurityGroup 1 rule
DeleteDBSnapshot 2 rules
DeleteGlobalCluster 1 rule
DescribeDBClusterSnapshots 1 rule
DescribeDBInstances 1 rule
DescribeDBSnapshots 2 rules
DescribeInstances 1 rule
DescribeRegions 1 rule
DescribeSecurityGroups 1 rule
DescribeTrails 1 rule
DescribeVpcs 1 rule
DownloadDBLogFilePortion 1 rule
FailoverDBCluster 1 rule
FailoverGlobalCluster 1 rule
GetAccountSummary 1 rule
GetCallerIdentity 1 rule
ListAccessKeys 1 rule
ListAccountAliases 1 rule
ListAliases 1 rule
ListBuckets 1 rule
ListFunctions 1 rule
ListGroups 1 rule
ListMFADevices 1 rule
ListRoles 1 rule
ListTables 1 rule
ListUsers 1 rule
LookupEvents 1 rule
ModifyDBCluster 5 rules
ModifyDBClusterSnapshotAttribute 2 rules
ModifyDBInstance 8 rules
- AWS RDS DB Instance Made Public
- AWS RDS DB Instance or Cluster Deletion Protection Disabled
- AWS RDS DB Instance or Cluster Password Modified
- AWS RDS Deletion Protection Disabled
- AWS RDS Instance Modified to be Publicly Accessible
- AWS RDS Master Password Change
- AWS RDS Master Password Updated
- AWS RDS Snapshot Deleted
ModifyDBSnapshotAttribute 2 rules
RebootDBCluster 1 rule
RebootDBInstance 1 rule
RebootDBShardGroup 1 rule
RestoreDBInstanceFromDBSnapshot 3 rules
RestoreDBInstanceFromS3 1 rule
RevokeDBSecurityGroupIngress 1 rule
StartExportTask 2 rules
StopActivityStream 1 rule
(any event) 1 rule
rolesanywhere.amazonaws.com
CreateProfile 1 rule
CreateTrustAnchor 1 rule
route53.amazonaws.com
AssociateVPCWithHostedZone 1 rule
DisableDomainTransferLock 1 rule
TransferDomainToAnotherAwsAccount 1 rule
route53domains.amazonaws.com
DisableDomainTransferLock 1 rule
TransferDomainToAnotherAwsAccount 1 rule
route53resolver.amazonaws.com
DeleteResolverQueryLogConfig 1 rule
s3.amazonaws.com
CopyObject 2 rules
DeleteBucketCors 1 rule
DeleteBucketEncryption 2 rules
DeleteBucketLifecycle 1 rule
DeleteBucketPolicy 1 rule
DeleteBucketPublicAccessBlock 1 rule
DeleteBucketReplication 2 rules
DeleteObject 2 rules
DeleteObjects 1 rule
DeleteObjectVersion 1 rule
DescribeDBInstances 1 rule
DescribeDBSnapshots 1 rule
DescribeInstances 1 rule
DescribeRegions 1 rule
DescribeSecurityGroups 1 rule
DescribeTrails 1 rule
DescribeVpcs 1 rule
GetAccountSummary 1 rule
GetBucketAcl 1 rule
GetBucketPolicy 1 rule
GetBucketPolicyStatus 1 rule
GetBucketPublicAccessBlock 1 rule
GetBucketVersioning 1 rule
GetCallerIdentity 1 rule
GetObject 3 rules
ListAccessKeys 1 rule
ListAccountAliases 1 rule
ListAliases 1 rule
ListBucket 1 rule
ListBuckets 2 rules
ListFunctions 1 rule
ListGroups 1 rule
ListMFADevices 1 rule
ListObjects 1 rule
ListRoles 1 rule
ListTables 1 rule
ListUsers 1 rule
LookupEvents 1 rule
PutBucketAcl 1 rule
PutBucketLogging 4 rules
PutBucketPolicy 2 rules
PutBucketReplication 1 rule
PutBucketVersioning 5 rules
PutBucketWebsite 1 rule
PutEncryptionConfiguration 1 rule
PutLifecycleConfiguration 1 rule
PutObject 5 rules
PutReplicationConfiguration 1 rule
ReplicateObject 1 rule
RestoreObject 1 rule
secretsmanager.amazonaws.com
GetSecretValue 2 rules
(any event) 1 rule
securityhub.amazonaws.com
BatchUpdateFindings 2 rules
DeleteInsight 2 rules
UpdateFindings 2 rules
UpdateInsight 2 rules
servicequotas.amazonaws.com
GetServiceQuota 1 rule
ses.amazonaws.com
DeleteIdentity 1 rule
(any event) 1 rule
signin.amazonaws.com
ConsoleLogin 9 rules
- AWS Authentication from CrowdStrike Unmanaged Device (crowdstrike_fdrevent table)
- AWS EC2 Instance Console Login via Assumed Role
- AWS Management Console Brute Force of Root User Identity
- AWS Management Console Root Login
- AWS Sign-In Console Login with Federated User
- Console Login With MFA
- Console Login Without MFA
- Failed Console Login
- Many Failed Logins
GetSessionToken 1 rule
GetSigninToken 4 rules
PasswordRecoveryRequested 1 rule
sns.amazonaws.com
CreateTopic 1 rule
Publish 1 rule
Subscribe 1 rule
sqs.amazonaws.com
PurgeQueue 1 rule
ssm.amazonaws.com
CreateAssociation 1 rule
CreateDocument 1 rule
DescribeInstancePatches 1 rule
GetInventory 1 rule
GetInventorySchema 1 rule
GetParameter 1 rule
GetParameters 1 rule
ListCommands 1 rule
ListInventoryEntries 1 rule
RegisterManagedInstance 1 rule
SendCommand 2 rules
StartSession 1 rule
sso-directory.amazonaws.com
AssociateDirectory 1 rule
DisableExternalIdPConfigurationForDirectory 1 rule
DisassociateDirectory 1 rule
EnableExternalIdPConfigurationForDirectory 1 rule
sso.amazonaws.com
AssociateDirectory 1 rule
Authenticate 1 rule
CreateToken 1 rule
DisableExternalIdPConfigurationForDirectory 1 rule
DisassociateDirectory 1 rule
EnableExternalIdPConfigurationForDirectory 1 rule
ListApplications 1 rule
sts.amazonaws.com
AssumeRole 5 rules
AssumeRoleWithSAML 2 rules
AssumeRoleWithWebIdentity 2 rules
AssumeRoot 1 rule
ConsoleLogin 1 rule
DescribeDBInstances 1 rule
DescribeDBSnapshots 1 rule
DescribeInstances 1 rule
DescribeRegions 1 rule
DescribeSecurityGroups 1 rule
DescribeTrails 1 rule
DescribeVpcs 1 rule
GetAccountSummary 1 rule
GetCallerIdentity 5 rules
GetFederationToken 2 rules
GetSessionToken 4 rules
ListAccessKeys 1 rule
ListAccountAliases 1 rule
ListAliases 1 rule
ListBuckets 1 rule
ListFunctions 1 rule
ListGroups 1 rule
ListMFADevices 1 rule
ListRoles 1 rule
ListTables 1 rule
ListUsers 1 rule
LookupEvents 1 rule
UpdateSAMLProvider 1 rule
(any event) 1 rule
waf-regional.amazonaws.com
DeleteRule 1 rule
DeleteRuleGroup 1 rule
DeleteWebACL 1 rule
waf.amazonaws.com
DeleteRule 1 rule
DeleteRuleGroup 1 rule
DeleteWebACL 1 rule
wafv2.amazonaws.com
CreateIPSet 1 rule
DeleteRule 1 rule
DeleteRuleGroup 1 rule
DeleteWebACL 1 rule
UpdateIPSet 1 rule
workdocs.amazonaws.com
AddUserToGroup 1 rule
ChangePassword 1 rule
CreateAccessKey 1 rule
CreateGroup 1 rule
CreateMailUser 1 rule
CreateOrganization 1 rule
CreateRole 1 rule
CreateServiceSpecificCredential 1 rule
CreateUser 1 rule
CreateVirtualMFADevice 1 rule
DeleteAccessKey 1 rule
DeleteGroup 1 rule
DeleteGroupPolicy 1 rule
DeleteLoginProfile 1 rule
DeleteRole 1 rule
DeleteServiceSpecificCredential 1 rule
DeleteUser 1 rule
DisableMailUsers 1 rule
EnableMailUsers 1 rule
RegisterToWorkMail 1 rule
RemoveUserFromGroup 1 rule
ResetPassword 1 rule
SetDefaultMailDomain 1 rule
SetMailUserDetails 1 rule
UpdateAccountEmailAddress 1 rule
UploadServerCertificate 1 rule
workmail.amazonaws.com
AddUserToGroup 1 rule
ChangePassword 1 rule
CreateAccessKey 1 rule
CreateGroup 1 rule
CreateMailUser 1 rule
CreateOrganization 1 rule
CreateRole 1 rule
CreateServiceSpecificCredential 1 rule
CreateUser 1 rule
CreateVirtualMFADevice 1 rule
DeleteAccessKey 1 rule
DeleteGroup 1 rule
DeleteGroupPolicy 1 rule
DeleteLoginProfile 1 rule
DeleteRole 1 rule
DeleteServiceSpecificCredential 1 rule
DeleteUser 1 rule
DisableMailUsers 1 rule
EnableMailUsers 1 rule
RegisterToWorkMail 1 rule
RemoveUserFromGroup 1 rule
ResetPassword 1 rule
SetDefaultMailDomain 1 rule
SetMailUserDetails 1 rule
UpdateAccountEmailAddress 1 rule
UploadServerCertificate 1 rule
(unattributed)
(any event) 670 rules
- A CloudTrail Was Created or Updated
- Account Security Configuration Changed
- Amazon EKS Kubernetes cluster scan detection
- Amazon EKS Kubernetes Pod scan detection
- Amazon Machine Image (AMI) Modified to Allow Public Access
- Anomalous AccessDenied Requests
- Anomalous VPC Traffic to Destination Port
- Anomaly found in Network Session Traffic (ASIM Network Session schema)
- API Call From Hacking Distro
- API Key Created
- ASL AWS Concurrent Sessions From Different Ips
- ASL AWS Create Access Key
- ASL AWS Create Policy Version to allow all resources
- ASL AWS Credential Access GetPasswordData
- ASL AWS Credential Access RDS Password reset
- ASL AWS Defense Evasion Delete Cloudtrail
- ASL AWS Defense Evasion Delete CloudWatch Log Group
- ASL AWS Defense Evasion Impair Security Services
- ASL AWS Defense Evasion PutBucketLifecycle
- ASL AWS Defense Evasion Stop Logging Cloudtrail
- ASL AWS Defense Evasion Update Cloudtrail
- ASL AWS Detect Users creating keys with encrypt policy without MFA
- ASL AWS Disable Bucket Versioning
- ASL AWS EC2 Snapshot Shared Externally
- ASL AWS ECR Container Upload Outside Business Hours
- ASL AWS ECR Container Upload Unknown User
- ASL AWS IAM AccessDenied Discovery Events
- ASL AWS IAM Assume Role Policy Brute Force
- ASL AWS IAM Delete Policy
- ASL AWS IAM Failure Group Deletion
- ASL AWS IAM Successful Group Deletion
- ASL AWS Multi-Factor Authentication Disabled
- ASL AWS Network Access Control List Created with All Open Ports
- ASL AWS Network Access Control List Deleted
- ASL AWS New MFA Method Registered For User
- ASL AWS SAML Update identity provider
- ASL AWS UpdateLoginProfile
- Attempt To Create API Key
- Attempt To Get Credentials For Identity
- Attempt To Get Federation Token
- Attempt To Get Signin Token
- AWS Access Key Rotation
- AWS Access Keys At Account Creation
- AWS Access Token Used from Multiple Addresses
- AWS Account Leaving Or Removed From The Organization
- AWS ACM Certificate Expiration
- AWS ACM Certificate Status
- AWS ACM Secure Algorithms
- AWS AMI Attribute Modification for Exfiltration
- AWS AMI Sharing
- AWS API Activity from Uncommon S3 Client by Rare User
- AWS API Call Outside Of Organization
- AWS API Gateway Keys Accessed
- AWS Application Load Balancer Insecure SSL Policy
- AWS Application Load Balancer Web ACL
- AWS Authentication From CrowdStrike Unmanaged Device
- AWS Backdoor Administrative IAM Role Created
- AWS Backup Plan Deleted
- AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User
- AWS Bedrock Detected Multiple Validation Exception Errors by a Single User
- AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request
- AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session
- AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session
- AWS Bedrock Model Invocation Abnormal Token Usage
- AWS Bedrock Model Invocation GuardRail Intervened
- AWS Bucket Deleted
- AWS CDE EC2 Volume Encryption
- AWS CloudFormation Stack Drift
- AWS CloudFormation Stack IAM Service Role
- AWS CloudFormation Stack Termination Protection
- AWS CloudFront Insecure SSL Policy
- AWS CloudTrail 2-minute count
- AWS CloudTrail Account Discovery
- AWS CloudTrail Attempt To Leave Org
- AWS CloudTrail CloudWatch Logs
- AWS CloudTrail Least Privilege Access
- AWS CloudTrail Log Encryption
- AWS CloudTrail Log Validation
- AWS CloudTrail Logging Tampered
- AWS CloudTrail Management Events Enabled
- AWS CloudTrail Password Policy Discovery
- AWS CloudTrail Password Spraying
- AWS Cloudtrail Region Enabled
- AWS CloudTrail Retention Lifecycle Too Short
- AWS CloudTrail S3 Bucket Access Logging
- AWS CloudTrail S3 Bucket Public
- AWS CloudTrail SES Check Identity Verifications
- AWS CloudTrail SES Check Send Quota
- AWS CloudTrail SES Check SES Sending Enabled
- AWS CloudTrail SES Enumeration
- AWS CloudTrail SES List Identities
- AWS CloudWatch Log Encryption
- AWS CloudWatch Logs Data Retention
- AWS Concurrent Sessions From Different Ips
- AWS Config Global Resources
- AWS Config Recording Status
- AWS Config Records All Resource Types
- AWS Config Service Created
- AWS Config Service Disabled
- AWS Config Service Modified
- AWS Config Status
- AWS Console Login
- AWS Console Login Failed During MFA Challenge
- AWS Console Login Without MFA
- AWS Console Sign-In NOT PRECEDED BY Okta Redirect
- AWS ConsoleLogin Failed Authentication
- AWS CreateAccessKey
- AWS CreateLoginProfile
- AWS Credential Access Failed Login
- AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure
- AWS Decrypt SSM Parameters
- AWS Defense Evasion PutBucketLifecycle
- AWS Delete CloudWatch Log Group
- AWS Delete VPC Flow Logs
- AWS Detect Users creating keys with encrypt policy without MFA
- AWS Detect Users with KMS keys performing encryption S3
- AWS Disable Bucket Versioning
- AWS DNS Crypto Domain
- AWS DNS Logs Deleted
- AWS DynamoDB Table Autoscaling
- AWS DynamoDB Table Autoscaling Configuration
- AWS DynamoDB Table TTL
- AWS EC2 AMI Approved Host
- AWS EC2 AMI Approved Instance Type
- AWS EC2 AMI Approved Tenancy
- AWS EC2 AMI Or Snapshot Shared Publicly
- AWS EC2 Discovery Commands Executed
- AWS EC2 Discovery Commands Executed
- AWS EC2 Download Instance User Data
- AWS EC2 EBS Snapshot Access Removed
- AWS EC2 EBS Snapshot Shared or Made Public
- AWS EC2 Get Windows Admin Password
- AWS EC2 High Number Of API Calls
- AWS EC2 Instance Approved AMI
- AWS EC2 Instance Approved Host
- AWS EC2 Instance Approved Instance Type
- AWS EC2 Instance Approved Tenancy
- AWS EC2 Instance Approved VPC
- AWS EC2 Instance Detailed Monitoring
- AWS EC2 Instance EBS Optimization
- AWS EC2 Manual Security Group Change
- AWS EC2 Multi Instance Connect
- AWS EC2 Snapshot Shared Externally
- AWS EC2 Startup Script Change
- AWS EC2 User Data Modified
- AWS EC2 Volume Encryption
- AWS EC2 Volume Snapshot Encryption
- AWS EC2 Vulnerable XZ Image Launched
- AWS ELB SSL Policies
- AWS Enable Or Disable Region
- AWS Enforces SSL Policies
- AWS Excessive Security Scanning
- AWS Excessive Successful Discovery Events
- AWS Exfiltration via Anomalous GetObject API Activity
- AWS Exfiltration via Batch Service
- AWS Exfiltration via EC2 Snapshot
- AWS GuardDuty Black Hole Traffic Detected
- AWS GuardDuty Bruteforce Activity Detected
- AWS GuardDuty Command And Control Activity Detected
- AWS GuardDuty Critical Severity Finding
- AWS GuardDuty Cryptocurrency Activity Detected
- AWS GuardDuty Denial Of Service Activity Detected
- AWS GuardDuty DGA Domain Activity Detected
- AWS GuardDuty Disabled
- AWS GuardDuty Enabled
- AWS GuardDuty High Severity Finding
- AWS GuardDuty Low Severity Finding
- AWS GuardDuty Malicious Or Suspicious File Executed
- AWS GuardDuty Master Account
- AWS GuardDuty Medium Severity Finding
- AWS GuardDuty Penetration Testing Activity Detected
- AWS GuardDuty Publishing Destination Deleted
- AWS GuardDuty Tor Network Activity Detected
- AWS GuardDuty Trusted Or Threat IP Lists Tampered
- AWS High Number Of Failed Authentications For User
- AWS High Number Of Failed Authentications From Ip
- AWS High Number Of Unknown User Authentication Attempts
- AWS IAM Access Analyzer Deleted
- AWS IAM Access Denied Discovery Events
- AWS IAM Access Key Compromise Detection
- AWS IAM AccessDenied Discovery Events
- AWS IAM Activity By S3 Browser Utility
- AWS IAM Activity From EC2 Instance
- AWS IAM Administrator Access Policy Attached
- AWS IAM Assume Role Policy Brute Force
- AWS IAM Compromised Key Quarantine Policy Attached
- AWS IAM CompromisedKeyQuarantine Policy Attached to User
- AWS IAM Delete Policy
- AWS IAM Group Users
- AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts
- AWS IAM Long-Term Access Key First Seen from Source IP
- AWS IAM Password Unused
- AWS IAM Policy Administrative Privileges
- AWS IAM Policy Assigned to User
- AWS IAM Policy Blocklist
- AWS IAM Policy Does Not Grant Any Administrative Access
- AWS IAM Policy Does Not Grant Network Admin Access
- AWS IAM Policy Role Mapping
- AWS IAM Resource Does Not Have Inline Policy
- AWS IAM Role Grants (permission) to Non-organizational Account
- AWS IAM Role Restricts Usage
- AWS IAM Role Trust Relationship for GitHub Actions
- AWS IAM User MFA
- AWS IAM User Not In Conflicting Groups
- AWS IMDS Credential Usage Outside Expected Services
- AWS KMS CMK Key Rotation
- AWS KMS Key Disabled Or Scheduled For Deletion
- AWS KMS Key Restricts Usage
- AWS Lambda Public Access
- AWS Lambda Update Function Code
- AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity
- AWS Lateral Movement Using IAM Session Token
- AWS Macie Disabled/Updated
- AWS Multi-Factor Authentication Disabled
- AWS MultiFactor Authentication Disabled
- AWS Multiple Failed MFA Requests For User
- AWS Multiple Users Failing To Authenticate From Ip
- AWS Network Access Control List Created with All Open Ports
- AWS Network Access Control List Deleted
- AWS Network ACL Overly Permissive Entry Created
- AWS Network ACL Restricts Inbound Traffic
- AWS Network ACL Restricts Insecure Protocols
- AWS Network ACL Restricts Outbound Traffic
- AWS Network ACL Restricts SSH
- AWS New MFA Method Registered For User
- AWS New MFA Method Registered For User
- AWS Password Policy Change
- AWS Password Policy Changes
- AWS Password Policy Complexity Guidelines
- AWS Password Policy Password Age Limit
- AWS Password Policy Password Reuse
- AWS Potentially Stolen Service Role
- AWS Potentially Stolen Service Role
- AWS Privilege Escalation Using IAM Access Key
- AWS Privilege Escalation Using IAM Login Profile
- AWS Privilege Escalation Via User Compromise
- AWS Rare Source AS Organization Activity
- AWS RDS Instance Backup
- AWS RDS Instance Encryption
- AWS RDS Instance Has Acceptable Backup Retention Period
- AWS RDS Instance High Availability
- AWS RDS Instance Minor Version Upgrades
- AWS RDS Instance Public Access
- AWS RDS Instance Snapshot Public Access
- AWS RDS Snapshot Shared Publicly
- AWS Redshift Cluster Encryption
- AWS Redshift Cluster Has Acceptable Snapshot Retention Period
- AWS Redshift Cluster Logging
- AWS Redshift Cluster Maintenance Window
- AWS Redshift Cluster Snapshot Retention
- AWS Redshift Cluster Version Upgrade
- AWS Resource Made Public
- AWS Resource Minimum Tags
- AWS Resource Required Tags
- AWS Root Account Access Keys
- AWS Root Account Hardware MFA
- AWS Root Account MFA
- AWS Root Credentials
- AWS S3 Access Error
- AWS S3 Access IP Allowlist
- AWS S3 Bucket Action Restrictions
- AWS S3 Bucket Encryption
- AWS S3 Bucket Expiration Lifecycle Configuration Added
- AWS S3 Bucket Lifecycle Configuration
- AWS S3 Bucket Logging
- AWS S3 Bucket Made Public By ACL
- AWS S3 Bucket MFA Delete
- AWS S3 Bucket Name DNS Compliance
- AWS S3 Bucket Object Lock Configured
- AWS S3 Bucket Policy Allow With Not Principal
- AWS S3 Bucket Policy Modified
- AWS S3 Bucket Principal Restrictions
- AWS S3 Bucket Public Access Block
- AWS S3 Bucket Public Read
- AWS S3 Bucket Public Write
- AWS S3 Bucket Replicated to Another Account
- AWS S3 Bucket Secure Access
- AWS S3 Bucket Versioning
- AWS S3 Exfiltration Behavior Identified
- AWS S3 Insecure Access
- AWS S3 Large Download
- AWS S3 Object Copied to External Account Bucket
- AWS S3 Object Exfiltration FOLLOWED BY Object Deletion
- AWS S3 Public Access Block Removed
- AWS S3 Ransomware Note Upload Detection
- AWS S3 Security Controls Disabled
- AWS S3 Unauthenticated Access
- AWS S3 Unknown Requester
- AWS SAML Identity Provider Changes
- AWS SAML Update identity provider
- AWS Secrets Manager Batch Retrieve Secrets
- AWS Secrets Manager Batch Retrieve Secrets Catch-All
- AWS Secrets Manager Retrieve Secrets Multi-Region
- AWS Security Group - Only DMZ Publicly Accessible
- AWS Security Group Administrative Ingress
- AWS Security Group Open To The World
- AWS Security Group Restricts Access To CDE
- AWS Security Group Restricts Inbound Traffic
- AWS Security Group Restricts Inter-SG Traffic
- AWS Security Group Restricts Outbound Traffic
- AWS Security Group Restricts Traffic Leaving CDE
- AWS Security Group Tightly Restricts Inbound Traffic
- AWS Security Group Tightly Restricts Outbound Traffic
- AWS Security Hub - Detect CloudTrail trails lacking KMS encryption
- AWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk ports
- AWS Security Hub - Detect IAM Policies allowing full administrative privileges
- AWS Security Hub - Detect IAM root user Access Key existence
- AWS Security Hub - Detect root user lacking MFA
- AWS Security Hub - Detect SQS Queue lacking encryption at rest
- AWS Security Hub - Detect SQS Queue policy allowing public access
- AWS Security Hub - Detect SSM documents public sharing enabled
- AWS SES Service Modification
- AWS Snapshot Made Public
- AWS Software Discovery
- AWS SSM Distributed Command
- AWS SSM Multiple Sessions
- AWS SSM Multiple Sessions
- AWS SSO Access Token Retrieved by Unauthenticated IP
- AWS STS AssumeRole Misuse
- AWS Successful API From Tor Exit Node
- AWS Successful Console Authentication From Multiple IPs
- AWS Successful Console Authentication From Multiple IPs
- AWS Successful Console Login Without MFA
- AWS Successful Login After Multiple Failed Attempts
- AWS Successful Single-Factor Authentication
- AWS Suspicious User Agent Fingerprint
- AWS Unsuccessful MFA attempt
- AWS Unused Access Key
- AWS Unusual Number Of Failed Authentication Attempts From The Same IP
- AWS Unusual Number of Failed Authentications From Ip
- AWS UpdateLoginProfile
- AWS User Creates Permanent Access Key
- AWS User Takeover Via Password Reset
- AWS VPC Default Network ACL Restricts All Traffic
- AWS VPC Default Security Group Restrictions
- AWS VPC Flow Logs
- AWS VPC Flow Logs Deleted
- AWS VPC Flow Logs Removed
- AWS VPC Healthy Log Status
- AWS WAF Disassociation
- AWS WAF Has XSS Predicate
- AWS WAF Logging Configured
- AWS WAF Managed Admin Protection Passthrough Rule
- AWS WAF Managed Anti-DDoS Passthrough Rule
- AWS WAF Managed Bot Control Passthrough Rule
- AWS WAF Managed Core Rule Set Passthrough Rule
- AWS WAF Managed IP Reputation Passthrough Rule
- AWS WAF Managed Known Bad Inputs Passthrough Rule
- AWS WAF Managed SQL Database Passthrough Rule
- AWS WAF ReactJS RCE Attempt via Body
- AWS WAF Rule Ordering
- AWS WAF WebACL Has Associated Resources
- AWS.Administrative.IAM.User.Created
- AWS.CloudTrail.UserAccessKeyAuth
- AWSCloudTrail - Amazon ECR image scanning disabled
- AWSCloudTrail - AWS GuardDuty detector disabled or suspended
- AWSCloudTrail - Changes made to AWS CloudTrail logs
- AWSCloudTrail - Changes to Amazon VPC settings
- AWSCloudTrail - Changes to AWS Elastic Load Balancer security groups
- AWSCloudTrail - Changes to AWS Security Group ingress and egress settings
- AWSCloudTrail - Changes to internet facing AWS RDS Database instances
- AWSCloudTrail - CloudFormation policy created then used for privilege escalation
- AWSCloudTrail - Config Service Resource Deletion Attempts
- AWSCloudTrail - Created CRUD S3 policy and then privilege escalation
- AWSCloudTrail - Creating keys with encrypt policy without MFA
- AWSCloudTrail - Creation of Access Key for IAM User
- AWSCloudTrail - Creation of CRUD DynamoDB policy and then privilege escalation
- AWSCloudTrail - Creation of CRUD KMS policy and then privilege escalation
- AWSCloudTrail - Creation of CRUD Lambda policy and then privilege escalation
- AWSCloudTrail - Creation of DataPipeline policy and then privilege escalation
- AWSCloudTrail - Creation of EC2 policy and then privilege escalation
- AWSCloudTrail - Creation of Glue policy and then privilege escalation
- AWSCloudTrail - Creation of Lambda policy and then privilege escalation
- AWSCloudTrail - Creation of new CRUD IAM policy and then privilege escalation
- AWSCloudTrail - Creation of SSM policy and then privilege escalation
- AWSCloudTrail - EC2 Startup Shell Script Changed
- AWSCloudTrail - ECR image scan findings high or critical
- AWSCloudTrail - Full Admin policy created and then attached to Roles, Users or Groups
- AWSCloudTrail - Login to AWS Management Console without MFA
- AWSCloudTrail - Monitor AWS Credential abuse or hijacking
- AWSCloudTrail - Network ACL with all the open ports to a specified CIDR
- AWSCloudTrail - NRT Login to AWS Management Console without MFA
- AWSCloudTrail - Policy version set to default
- AWSCloudTrail - Privilege escalation via CloudFormation policy
- AWSCloudTrail - Privilege escalation via CRUD DynamoDB policy
- AWSCloudTrail - Privilege escalation via CRUD IAM policy
- AWSCloudTrail - Privilege escalation via CRUD KMS policy
- AWSCloudTrail - Privilege escalation via CRUD Lambda policy
- AWSCloudTrail - Privilege escalation via CRUD S3 policy
- AWSCloudTrail - Privilege escalation via DataPipeline policy
- AWSCloudTrail - Privilege escalation via EC2 policy
- AWSCloudTrail - Privilege escalation via Glue policy
- AWSCloudTrail - Privilege escalation via Lambda policy
- AWSCloudTrail - Privilege escalation via SSM policy
- AWSCloudTrail - Privilege escalation with admin managed policy
- AWSCloudTrail - Privilege escalation with AdministratorAccess managed policy
- AWSCloudTrail - Privilege escalation with FullAccess managed policy
- AWSCloudTrail - RDS instance publicly exposed
- AWSCloudTrail - S3 bucket access point publicly exposed
- AWSCloudTrail - S3 bucket exposed via ACL
- AWSCloudTrail - S3 bucket exposed via policy
- AWSCloudTrail - S3 bucket suspicious ransomware activity
- AWSCloudTrail - S3 Object Exfiltration from Anonymous User
- AWSCloudTrail - S3 object publicly exposed
- AWSCloudTrail - SAML update identity provider
- AWSCloudTrail - SSM document is publicly exposed
- AWSCloudTrail - Successful API executed from a Tor exit node
- AWSCloudTrail - Successful brute force attack on S3 Bucket
- AWSCloudTrail - Suspicious AWS CLI Command Execution
- AWSCloudTrail - Suspicious AWS EC2 Compute Resource Deployments
- AWSCloudTrail - Suspicious command sent to EC2
- AWSCloudTrail - Suspicious overly permissive KMS key policy created
- AWSCloudTrail - Tampering to AWS CloudTrail logs
- AWSCloudTrail - Unauthorized EC2 Instance Setup Attempt
- AWSCloudTrail - User IAM Enumeration
- AWSGuardDuty - GuardDuty Alert
- Brute Force By IP
- Brute Force By User
- Circle CI Disable Security Job
- Circle CI Disable Security Step
- Cloud API Calls From Previously Unseen User Roles
- Cloud Compute Instance Created By Previously Unseen User
- Cloud Compute Instance Created In Previously Unused Region
- Cloud Compute Instance Created With Previously Unseen Image
- Cloud Compute Instance Created With Previously Unseen Instance Type
- Cloud Instance Modified By Previously Unseen User
- Cloud Provisioning Activity From Previously Unseen City
- Cloud Provisioning Activity From Previously Unseen Country
- Cloud Provisioning Activity From Previously Unseen IP Address
- Cloud Provisioning Activity From Previously Unseen Region
- Cloud Security Groups Modifications by User
- CloudTrail EC2 StopInstances
- CloudTrail Event Selectors Disabled
- CloudTrail Stopped
- CodeBuild Project made Public
- Cross-Cloud Password Spray detection
- Databricks Access to Multiple Workspaces
- Databricks Access Token Revoked
- Databricks Account Admin Privileged Role Assignment
- Databricks Account-Level Configuration Changes
- Databricks Attempted Logon From Denied IP
- Databricks Data Downloads From Control Plane
- Databricks Data Movement with Explicit Credentials
- Databricks Delta Sharing IP Access Failures
- Databricks Delta Sharing Recipient Without IP ACLs
- Databricks Destructive Activities
- Databricks Employee Logon
- Databricks Global Init Script Changes
- Databricks Group Created
- Databricks Group Deleted
- Databricks High Priority Configuration Changes
- Databricks Install Library on All Clusters
- Databricks Long-Lifetime Token Generated
- Databricks Metastore Admin Privilege Granted
- Databricks MFA Key Change
- Databricks Mount Point Creation
- Databricks Non-SSO Login Detected
- Databricks Potential Privilege Escalation
- Databricks Principal Removed From Group
- Databricks Repeated Access to Secrets
- Databricks Repeated Failed Login Attempts
- Databricks Repeated Unauthorized UC Data Requests
- Databricks Repeated Unauthorized Unity Catalog Requests
- Databricks SSO Configuration Changed
- Databricks Terms of Service Changes
- Databricks TruffleHog Scan Detected
- Databricks User Account Created
- Databricks User Account Deleted
- Databricks User Password Changed
- Databricks User Role Modified
- Databricks Verbose Audit Logging Disabled
- Databricks Workspace Admin Privileged Role Assignment
- Databricks Workspace-Level Configuration Changes
- Decoy DynamoDB Accessed
- Decoy IAM Assumed
- Decoy S3 Accessed
- Decoy Secret Accessed
- Decoy Systems Manager Parameter Accessed
- Detect AWS Console Login by New User
- Detect AWS Console Login by User from New City
- Detect AWS Console Login by User from New Country
- Detect AWS Console Login by User from New Region
- Detect GCP Storage access from a new IP
- Detect New Open GCP Storage Buckets
- Detect port misuse by anomaly based detection (ASIM Network Session schema)
- Detect port misuse by static threshold (ASIM Network Session schema)
- Detect Reconnaissance from IAM Users
- Detect S3 access from a new IP
- Detect Spike in AWS Security Hub Alerts for EC2 Instance
- Detect Spike in AWS Security Hub Alerts for User
- Detect Spike in blocked Outbound Traffic from your AWS
- Detect Spike in S3 Bucket deletion
- Detect Web Access to Decommissioned S3 Bucket
- DNS Base64 Encoded Query
- EC2 Network ACL Modified
- EC2 Network Gateway Modified
- EC2 Route Table Modified
- EC2 Secrets Manager Retrieve Secrets
- EC2 Security Group Modified
- EC2 VPC Modified
- EKS Anonymous API Access Detected
- EKS Audit Log based single sourceIP is generating multiple 403s
- EKS Audit Log Reporting system Namespace is Used From A Public IP
- External Principal Accessing AWS Resources Via VPC Endpoint
- Failed Root Console Login
- GCP Detect gcploit framework
- GCP Kubernetes cluster pod scan detection
- Gdrive suspicious file sharing
- Get Caller Identity
- Get Credentials For Identity
- Get Federation Token
- Get Signin Token
- GreyNoise TI map IP entity to Network Session Events (ASIM Network Session schema)
- GreyNoise V3 Malicious IP Activity
- Gsuite Drive Share In External Email
- GSuite Email Suspicious Attachment
- Gsuite Email Suspicious Subject With Attachment
- Gsuite Email With Known Abuse Web Service Link
- Gsuite Outbound Email With Attachment To External Domain
- Gsuite suspicious calendar invite
- Gsuite Suspicious Shared File Name
- IAM Administrator Role Policy Attached
- IAM Assume Role Blocklist Ignored
- IAM Change
- IAM Entity Created Without CloudFormation
- IAM Inline Policy Network Admin
- IAM Policy Modified
- IAM Role Created
- IAM Role Policy Updated to Allow Internet Access
- IAM User Created
- IAM User Policy Attached with Administrator Access
- Impossible Travel for Login Action
- Internal Horizontal Port Scan
- Internal Horizontal Port Scan NMAP Top 20
- Internal Vertical Port Scan
- KMS CMK Disabled or Deleted
- Kubernetes Admission Controller Webhook Created
- Kubernetes All Secrets Dumped Across Namespaces
- Kubernetes Anomalous Inbound Network Activity from Process
- Kubernetes Anomalous Inbound Outbound Network IO
- Kubernetes Anomalous Inbound to Outbound Network IO Ratio
- Kubernetes Anomalous Outbound Network Activity from Process
- Kubernetes Anomalous Traffic on Network Edge
- Kubernetes Anonymous API Access Detected
- Kubernetes API Activity from Tor Exit Node
- Kubernetes API Multiple 403 Responses from Single Public IP
- Kubernetes Client Certificate Credential Created
- Kubernetes ClusterRoleBinding to Privileged Role
- Kubernetes CronJob Created or Modified
- Kubernetes DaemonSet Created
- Kubernetes Data Copy via kubectl cp
- Kubernetes Exec Into Pod
- Kubernetes Ingress Created Without TLS
- Kubernetes Long-Lived Service Account Token Created
- Kubernetes newly seen TCP edge
- Kubernetes newly seen UDP edge
- Kubernetes Nginx Ingress LFI
- Kubernetes Nginx Ingress RFI
- Kubernetes NodePort Service Deployed
- Kubernetes Pod Attached To Host Network
- Kubernetes Pod Created in System Namespace
- Kubernetes Pod Using Host IPC Namespace
- Kubernetes Pod Using Host PID Namespace
- Kubernetes Pod with Dangerous Linux Capabilities
- Kubernetes Pod With HostPath Volume Mount
- Kubernetes Previously Unseen Container Image Name
- Kubernetes Previously Unseen Process
- Kubernetes Privileged Pod Created
- Kubernetes Process Running From New Path
- Kubernetes Process with Anomalous Resource Utilisation
- Kubernetes Process with Resource Ratio Anomalies
- Kubernetes Role With Node Proxy Permissions Created
- Kubernetes Role With Pod Exec Permissions Created
- Kubernetes Role With Wildcard Permissions Created
- Kubernetes Role With Write Permissions Created
- Kubernetes Scanner Image Pulling
- Kubernetes Secret Access Denied
- Kubernetes Secret Enumeration by a User
- Kubernetes Service Account Token Theft from Pod
- Kubernetes Shell Running on Worker Node
- Kubernetes Shell Running on Worker Node with CPU Activity
- Kubernetes System Principal Accessed from Non-Cloud Public IP
- Kubernetes System Role Modified or Deleted
- Logins Without MFA
- Logins Without SAML
- Many AccessDenied Errors from Single Source
- Monitor Unauthorized API Calls
- Multiple Cloud Secrets Accessed by Source Address
- New AWS Account Created
- New IAM Credentials Updated
- New User Account Created
- New UserAgent observed in last 24 hours
- O365 Added Service Principal
- O365 ApplicationImpersonation Role Assigned
- O365 BEC Email Hiding Rule Created
- O365 Compliance Content Search Exported
- O365 Compliance Content Search Started
- O365 Excessive Authentication Failures Alert
- O365 Mailbox Email Forwarding Enabled
- O365 New Email Forwarding Rule Created
- O365 New Email Forwarding Rule Enabled
- O365 New Federated Domain Added
- O365 New Forwarding Mailflow Rule Created
- O365 PST export alert
- O365 Security And Compliance Alert Triggered
- O365 Service Principal New Client Credentials
- O365 User Consent Denied for OAuth Application
- OTX Threat Intelligence Indicator Match
- Potential Abuse of Resources by High Token Count and Large Response Sizes
- PUA - AWS TruffleHog Execution
- Query.CloudTrail.Password.Spraying
- Query.VPC.DNS.Tunneling
- Rare AWS Error Code
- Risk Rule for Dev Sec Ops by Repository
- Root Account Access Key Created
- Root Account Activity
- Root Console Login
- Root Password Changed
- S3 Access Via VPC Endpoint From External IP
- S3 Bucket Deleted
- S3 Bucket Policy Confused Deputy Protection for Service Principals
- S3 Object Encrypted with External KMS Key
- Sensitive AWS CloudWatch Log Encryption
- Sign In from Rogue State
- SIGNAL - Role Assumed by AWS Service
- SIGNAL - Role Assumed by User
- Signal - VPC Flow Logs Allowed SSH
- Spike in AWS Error Messages
- StopInstance FOLLOWED BY ModifyInstanceAttributes
- Successful AWS Console Login from IP Address Observed Conducting Password Spray
- Suspicious access of BEC related documents in AWS S3 buckets
- TI map IP entity to AWSCloudTrail
- TI map IP entity to AWSCloudTrail
- TI map IP entity to Network Session Events (ASIM Network Session schema)
- TI map IP entity to Network Session Events (ASIM Network Session schema)
- Unused AWS Region
- Unusual AWS Command for a User
- Unusual City For an AWS Command
- Unusual Country For an AWS Command
- Unusual High Confidence Content Filter Blocks Detected
- Unusual High Denied Sensitive Information Policy Blocks Detected
- Unusual High Denied Topic Blocks Detected
- Unusual High Word Policy Blocks Detected
- User impersonation by Identity Protection alerts
- VPC Endpoint Access Denied
- VPC Flow Logs Inbound Port Allowlist
- VPC Flow Logs Inbound Port Blocklist
- VPC Flow Logs Unapproved Outbound DNS Traffic
- VPC Flow Port Scanning
- VPC Flow Port Scanning
- Wiz Alert Passthrough Rule
- Wiz CICD Scan Policy Updated Or Deleted
- Wiz Connector Updated Or Deleted
- Wiz Data Classifier Updated Or Deleted
- Wiz Defend Alert Passthrough Rule
- Wiz Image Integrity Validator Updated Or Deleted
- Wiz Integration Updated Or Deleted
- Wiz Issue Alert Passthrough Rule
- Wiz Issue Followed By SSH to EC2 Instance
- Wiz Revoke User Sessions
- Wiz Rotate Service Account Secret
- Wiz Rule Change
- Wiz SAML Identity Provider Change
- Wiz Service Account Change
- Wiz Update IP Restrictions
- Wiz Update Login Settings
- Wiz Update Scanner Settings
- Wiz Update Support Contact List
- Wiz User Created Or Deleted
- Wiz User Role Updated Or Deleted