AWS S3 Large Download

Tags: Beta, Data Exfiltration
Source: github.com/panther-labs/panther-analysis

Returns S3 GetObject events where a user has downloaded more than the configured threshold of data within the specified time window. Supports filtering by bucket patterns and user types.

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

AWS S3 Credential File Retrieved from Bucket (Elastic)
AWS S3 Unauthenticated Bucket Access by Rare Source (Elastic)

Rule body yaml

AnalysisType: scheduled_query
QueryName: "AWS S3 Large Download"
Enabled: false
Description: >
  Returns S3 GetObject events where a user has downloaded more than the configured threshold 
  of data within the specified time window. Supports filtering by bucket patterns and user types.
Tags:
  - Beta
  - Data Exfiltration
Query: |-
  SELECT 
    userIdentity:arn as user_arn,
    COALESCE(userIdentity:userName, userIdentity:sessionContext:sessionIssuer:userName, 'unknown') as user_name,
    userIdentity:type as user_type,
    requestParameters:bucketName as bucket_name,
    sourceIPAddress as source_ip,
    userAgent as user_agent,
    SUM(COALESCE(additionalEventData:bytesTransferredOut::int, 0)) as total_bytes_downloaded,
    COUNT(*) as object_count,
    MIN(p_event_time) as first_download_time,
    MAX(p_event_time) as last_download_time,
    ARRAY_AGG(DISTINCT requestParameters:key) as sample_objects
  FROM panther_logs.public.aws_cloudtrail
  WHERE eventName = 'GetObject'
    AND eventSource = 's3.amazonaws.com'
    AND userIdentity:type IN ('IAMUser', 'AssumedRole', 'FederatedUser')
    AND errorCode IS NULL
    AND p_event_time >= DATEADD(minute, -10, CURRENT_TIMESTAMP())
    AND userIdentity:arn NOT LIKE '%panther-snowflake-api%'
    -- AND (requestParameters:bucketName LIKE '%sensitive%' OR requestParameters:bucketName LIKE '%prod%')
  GROUP BY 
    userIdentity:arn,
    COALESCE(userIdentity:userName, userIdentity:sessionContext:sessionIssuer:userName, 'unknown'),
    userIdentity:type,
    requestParameters:bucketName,
    sourceIPAddress,
    userAgent
  HAVING SUM(COALESCE(additionalEventData:bytesTransferredOut::int, 0)) >= 52428800  -- 50MB default
  ORDER BY total_bytes_downloaded DESC
Schedule:
  RateMinutes: 10
  TimeoutMinutes: 3

Detection logic

Stage 1: `source`

panther_logs.public.aws_cloudtrail

Stage 2: `filter`

eventName eq "GetObject"
eventSource eq "s3.amazonaws.com"
userIdentity:type in ["IAMUser", "AssumedRole", "FederatedUser"]
errorCode is_null
userIdentity:arn not wildcard "*panther-snowflake-api*"

This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.

Stage 3: `having`

Threshold: ge 52428800

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`userIdentity:arn`	match	`panther-snowflake-api`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`errorCode`	is_null	(no value, null check)
`eventName`	eq	`GetObject`
`eventSource`	eq	`s3.amazonaws.com`
`userIdentity:type`	in	`AssumedRole` `FederatedUser` `IAMUser`

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

Field	Source
`user_arn`	`userIdentity:arn`
`user_name`	`COALESCE ( userIdentity:userName , userIdentity:sessionContext:sessionIssuer:userName , 'unknown' )`
`user_type`	`userIdentity:type`
`bucket_name`	`requestParameters:bucketName`
`source_ip`	`sourceIPAddress`
`user_agent`	`userAgent`
`total_bytes_downloaded`	`SUM ( COALESCE ( additionalEventData:bytesTransferredOut : : int , 0 ) )`
`object_count`	`COUNT ( * )`
`first_download_time`	`MIN ( p_event_time )`
`last_download_time`	`MAX ( p_event_time )`
`sample_objects`	`ARRAY_AGG ( DISTINCT requestParameters:key )`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

AWS S3 Large Download

Rules detecting the same action

Rule body yaml

Detection logic

Stage 1: `source`

Stage 2: `filter`

Stage 3: `having`

Exclusions

Indicators

Output fields

Keyboard shortcuts

Search operators

AWS S3 Large Download

Rules detecting the same action

Rule body yaml

Detection logic

Stage 1: source

Stage 2: filter

Stage 3: having

Exclusions

Indicators

Output fields

Stage 1: `source`

Stage 2: `filter`

Stage 3: `having`