Detection rules › Panther
AWS Software Discovery
A user is obtaining a list of security software, configurations, defensive tools, and sensors that are in AWS.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1518 Software Discovery |
Rule body yaml
AnalysisType: rule
Description: A user is obtaining a list of security software, configurations, defensive tools, and sensors that are in AWS.
DisplayName: "AWS Software Discovery"
Enabled: false
Filename: aws_software_discovery.py
Reference: https://attack.mitre.org/techniques/T1518/001/
Tags:
- Configuration Required
Reports:
MITRE ATT&CK:
- TA0007:T1518
Severity: Info
CreateAlert: false
Tests:
- ExpectedResult: true
Log:
awsRegion: us-west-2
eventID: 6faccad9-b6ae-4549-8e39-03430cbce2aa
eventName: DescribeSecurityGroups
eventSource: ec2.amazonaws.com
eventTime: "2021-10-19 01:06:59"
eventType: AwsApiCall
eventVersion: "1.08"
managementEvent: true
p_any_aws_account_ids:
- "123456789012"
p_any_aws_arns:
- arn:aws:iam::123456789012:role/ExampleRole-us-east-2
- arn:aws:sts::123456789012:assumed-role/ExampleRole-us-east-2/153151351351351
p_any_ip_addresses:
- 12.34.56.78
p_event_time: "2021-10-19 01:06:59"
p_log_type: AWS.CloudTrail
p_parse_time: "2021-10-19 01:11:10.412"
p_row_id: eabaceda7842c2b2e7a398f40cc150
p_source_id: 5f9f0f60-9c56-4027-b93a-8bab3019f0f1
p_source_label: Hosted - Cloudtrail - XYZ
readOnly: true
recipientAccountId: "123456789012"
requestID: 43efad11-bb40-43df-ad25-c8e7f0bfdc7a
requestParameters:
filterSet: {}
securityGroupIdSet:
items:
- groupId: sg-01e29ae063f5f63a0
securityGroupSet: {}
sourceIPAddress: 12.34.56.78
userAgent: aws-sdk-go/1.40.21 (go1.17; linux; amd64) exec-env/AWS_Lambda_go1.x
userIdentity:
accessKeyId: ASIA153151351351351
accountId: "123456789012"
arn: arn:aws:sts::123456789012:assumed-role/ExampleRole-us-east-2/153151351351351
principalId: AROA4NOI7P47OHH3NQORX:153151351351351
sessionContext:
attributes:
creationDate: "2021-10-19T01:05:18Z"
mfaAuthenticated: "false"
sessionIssuer:
accountId: "123456789012"
arn: arn:aws:iam::123456789012:role/ExampleRole-us-east-2
principalId: AROA153151351351351
type: Role
userName: ExampleRole-us-east-2
webIdFederationData: {}
type: AssumedRole
Name: Discovery Event Names
- ExpectedResult: false
Log:
apiVersion: "2012-08-10"
awsRegion: us-east-1
eventCategory: Data
eventID: 9b666120-d5f9-4ca8-b158-3cd53e4c48bd
eventName: GetRecords
eventSource: dynamodb.amazonaws.com
eventTime: "2023-01-09 16:01:21"
eventType: AwsApiCall
eventVersion: "1.08"
managementEvent: false
Name: Non Discovery Event Names
DedupPeriodMinutes: 360 # 6 hours
LogTypes:
- AWS.CloudTrail
RuleID: "AWS.Software.Discovery"
Threshold: 50
Detection logic
Condition
eventName in ["ListDocuments", "ListMembers", "DescribeProducts", "DescribeStandards", "DescribeStandardsControls", "DescribeInstanceInformation", "DescribeSecurityGroups", "DescribeSecurityGroupRules", "DescribeSecurityGroupReferences", "DescribeSubnets", "DescribeHub", "ListFirewalls", "ListRuleGroups", "ListFirewallPolicies", "DescribeFirewall", "DescribeFirewallPolicy", "DescribeLoggingConfiguration", "DescribeResourcePolicy", "DescribeRuleGroup"]
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
eventName | in |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field |
|---|
eventName |
eventSource |
awsRegion |
recipientAccountId |
sourceIPAddress |
userAgent |
userIdentity |
actor_user |