detection.wiki

Detection rules › Panther

New AWS Account Created

Severity
informational
Entities
aws_account_ids
Log types
AWS.CloudTrail
Tags
DataModel, Indicator Collection, Persistence:Create Account
Reference
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html#:~:text=AWS%20Organizations%20information%20in%20CloudTrail
Source
github.com/panther-labs/panther-analysis

A new AWS account was created

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1136 Create Account

Rule body yaml

AnalysisType: rule
Filename: new_aws_account_logging.py
RuleID: "Standard.NewAWSAccountCreated"
DisplayName: "New AWS Account Created"
Enabled: true
LogTypes:
  - AWS.CloudTrail
Tags:
  - DataModel
  - Indicator Collection
  - Persistence:Create Account
Severity: Info
Reports:
  MITRE ATT&CK:
    - TA0003:T1136
Description: A new AWS account was created
Runbook: A new AWS account was created, ensure it was created through standard practice and is for a valid purpose.
Reference: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html#:~:text=AWS%20Organizations%20information%20in%20CloudTrail
SummaryAttributes:
  - p_any_aws_account_ids
Tests:
  - Name: AWS Account created
    ExpectedResult: true
    Mocks:
      - objectName: put_string_set
        returnValue: >-
    Log:
      {
        "awsRegion": "us-east-1",
        "eventID": "axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "eventName": "CreateAccountResult",
        "eventSource": "organizations.amazonaws.com",
        "eventTime": "2021-05-20 15:53:47Z",
        "eventType": "AwsServiceEvent",
        "eventVersion": "1.08",
        "managementEvent": true,
        "p_log_type": "AWS.CloudTrail",
        "p_any_aws_account_ids": ["111111111111", "222222222222"],
        "p_event_time": "2021-05-20 15:53:47Z",
        "readOnly": false,
        "recipientAccountId": "292442345278",
        "serviceEventDetails": "{\n  \"createAccountStatus\": {\n    \"accountId\": \"1111111111111111\",\n    \"accountName\": \"****\",\n    \"completedTimestamp\": \"May 20, 2021 3:53:47 PM\",\n    \"id\": \"car-aaaaaaaaaaaaaaaaaaaaaaaaaaa\",\n    \"requestedTimestamp\": \"May 20, 2021 3:53:44 PM\",\n    \"state\": \"SUCCEEDED\"\n  }\n}",
      }

  - Name: Non-Account-Creation Event
    ExpectedResult: false
    Mocks:
      - objectName: put_string_set
        returnValue: >-
    Log:
      {
        "awsRegion": "us-east-1",
        "eventName": "CreateAccount",
        "eventTime": "2020-11-05 21:21:46Z",
        "eventType": "AwsApiCall",
        "eventVersion": "1.05",
        "recipientAccountId": "111111111111111111111111111",
        "requestID": "2222222222222222222222222222",
        "requestParameters": "{\n  \"accountName\": \"****\",\n  \"email\": \"****\",\n  \"roleName\": \"SomeRole\"\n}",
        "responseElements": "{\n  \"createAccountStatus\": {\n    \"accountName\": \"****\",\n    \"id\": \"car-3333333333\",\n    \"requestedTimestamp\": \"Nov 5, 2020 9:21:45 PM\",\n    \"state\": \"IN_PROGRESS\"\n  }\n}",
        "sourceIPAddress": "72.177.120.134",
        "p_event_time": "2020-11-05 21:21:46Z",
        "p_log_type": "AWS.CloudTrail",
        "p_any_aws_account_ids": ["222222222222"],
      }

Detection logic

Condition

event_type eq "account_created"

This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
event_typeeq
  • account_created