Detection rules › Panther
CodeBuild Project made Public
An AWS CodeBuild Project was made publicly accessible
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Exfiltration | T1567 Exfiltration Over Web Service |
Rule body yaml
AnalysisType: rule
Filename: aws_codebuild_made_public.py
RuleID: "AWS.CloudTrail.CodebuildProjectMadePublic"
DisplayName: "CodeBuild Project made Public"
Enabled: true
LogTypes:
- AWS.CloudTrail
Reports:
MITRE ATT&CK:
- TA0010:T1567
Tags:
- AWS
- Security Control
- Exfiltration:Exfiltration Over Web Service
Severity: High
Description: >
An AWS CodeBuild Project was made publicly accessible
Runbook: TBD
Reference: https://docs.aws.amazon.com/codebuild/latest/userguide/public-builds.html
SummaryAttributes:
- eventName
- userAgent
- sourceIpAddress
- recipientAccountId
- p_any_aws_arns
Tests:
- Name: CodeBuild Project Made Public
ExpectedResult: true
Log:
{
"eventVersion": "1.08",
"userIdentity":
{
"type": "AssumedRole",
"principalId": "111111111111",
"arn": "arn:aws:sts::111122223333:assumed-role/MakeStuffPublic",
"accountId": "111122223333",
"accessKeyId": "ASIAXXXXXXXXXXXX",
"sessionContext":
{
"sessionIssuer": {},
"webIdFederationData": {},
"attributes":
{
"creationDate": "2021-08-18T14:54:10Z",
"mfaAuthenticated": "false",
},
},
},
"eventTime": "2021-08-18T14:54:53Z",
"eventSource": "codebuild.amazonaws.com",
"eventName": "UpdateProjectVisibility",
"awsRegion": "us-east-1",
"sourceIPAddress": "1.1.1.1",
"userAgent": "aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.116-64.217.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/legacy",
"requestParameters":
{
"projectVisibility": "PUBLIC_READ",
"projectArn": "arn:aws:codebuild:us-east-1:111122223333:project/testproject1234",
"resourceAccessRole": "arn:aws:iam::111122223333:role/service-role/test",
},
"responseElements": null,
"requestID": "4397365f-c790-4c23-9fe6-97e13a16ea84",
"eventID": "982f8066-640d-40fb-b433-ba15e14fee40",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management",
}
- Name: CodeBuild Project Made Private
ExpectedResult: false
Log:
{
"eventVersion": "1.08",
"userIdentity":
{
"type": "AssumedRole",
"principalId": "111111111111",
"arn": "arn:aws:sts::111122223333:assumed-role/MakeStuffPublic",
"accountId": "111122223333",
"accessKeyId": "ASIAXXXXXXXXXXXX",
"sessionContext":
{
"sessionIssuer": {},
"webIdFederationData": {},
"attributes":
{
"creationDate": "2021-08-18T14:54:10Z",
"mfaAuthenticated": "false",
},
},
},
"eventTime": "2021-08-18T14:54:53Z",
"eventSource": "codebuild.amazonaws.com",
"eventName": "UpdateProjectVisibility",
"awsRegion": "us-east-1",
"sourceIPAddress": "1.1.1.1",
"userAgent": "aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.116-64.217.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/legacy",
"requestParameters":
{
"projectVisibility": "PRIVATE",
"projectArn": "arn:aws:codebuild:us-east-1:111122223333:project/testproject1234",
"resourceAccessRole": "arn:aws:iam::111122223333:role/service-role/test",
},
"responseElements": null,
"requestID": "4397365f-c790-4c23-9fe6-97e13a16ea84",
"eventID": "982f8066-640d-40fb-b433-ba15e14fee40",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management",
}
- Name: Not a UpdateProjectVisibility event
ExpectedResult: false
Log:
{
"eventVersion": "1.08",
"userIdentity":
{
"type": "AssumedRole",
"principalId": "111111111111",
"arn": "arn:aws:sts::111122223333:assumed-role/MakeStuffPublic",
"accountId": "111122223333",
"accessKeyId": "ASIAXXXXXXXXXXXX",
"sessionContext":
{
"sessionIssuer": {},
"webIdFederationData": {},
"attributes":
{
"creationDate": "2021-08-18T14:54:10Z",
"mfaAuthenticated": "false",
},
},
},
"eventTime": "2021-08-18T14:54:53Z",
"eventSource": "codebuild.amazonaws.com",
"eventName": "CreateProject",
"awsRegion": "us-east-1",
"sourceIPAddress": "1.1.1.1",
"userAgent": "aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.116-64.217.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/legacy",
"responseElements": null,
"requestID": "4397365f-c790-4c23-9fe6-97e13a16ea84",
"eventID": "982f8066-640d-40fb-b433-ba15e14fee40",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management",
}
Detection logic
Condition
eventName eq "UpdateProjectVisibility"
requestParameters.projectVisibility eq "PUBLIC_READ"
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
eventName | eq |
|
requestParameters.projectVisibility | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
eventName | |
eventSource | |
awsRegion | |
recipientAccountId | |
sourceIPAddress | |
userAgent | |
userIdentity | |
arn | userIdentity.arn |