Products: Amazon AWS - CloudTrail

Rules

Rule ID	Rule Name
MATCH-S00307	AWS - Excessive OAuth Application Permissions Scope
MATCH-S00306	AWS - New UserPoolClient Created
MATCH-S00922	AWS Bedrock Agent Created
MATCH-S00924	AWS Bedrock Guardrail Deleted
MATCH-S00923	AWS Bedrock Model Invocation Denied for User
MATCH-S00921	AWS Bedrock Model Invocation Logging Configuration Change Observed
MATCH-S00715	AWS Cloud Storage Deletion
AGGREGATION-S00002	AWS CloudTrail - Aggressive Reconnaissance
LEGACY-S00207	AWS CloudTrail - Customer Master Key Disabled or Scheduled for Deletion
MATCH-S00261	AWS CloudTrail - Database Snapshot Created
MATCH-S00208	AWS CloudTrail - EC2 Access Key Action Detected
MATCH-S00246	AWS CloudTrail - GetSecretValue from non Amazon IP
MATCH-S00111	AWS CloudTrail - IAM CreateUser Action Observed
LEGACY-S00206	AWS CloudTrail - IAM Policy Applied
MATCH-S00101	AWS CloudTrail - IAM Privileged Policy Applied to Group
MATCH-S00102	AWS CloudTrail - IAM Privileged Policy Applied to Group (Username)
MATCH-S00104	AWS CloudTrail - IAM Privileged Policy Applied to Role
MATCH-S00099	AWS CloudTrail - IAM Privileged Policy Applied to User
THRESHOLD-S00051	AWS CloudTrail - IAM User Generating AccessDenied Errors Across Multiple Actions
MATCH-S00113	AWS CloudTrail - Logging Configuration Change Observed
MATCH-S00308	AWS CloudTrail - OpsWorks Describe Permissions Event
MATCH-S00109	AWS CloudTrail - Permissions Boundary Lifted
MATCH-S00105	AWS CloudTrail - Public S3 Bucket Exposed
MATCH-S00213	AWS CloudTrail - Reconnaissance related event
MATCH-S00096	AWS CloudTrail - Root Console Successful Login Observed
MATCH-S00764	AWS CloudTrail - S3 Bucket Public Access Block Disabled
MATCH-S00210	AWS CloudTrail - SQS List Queues Event
MATCH-S00240	AWS CloudTrail - ScheduleKeyDeletion in KMS
MATCH-S00247	AWS CloudTrail - Secrets Manager sensitive admin action observed
MATCH-S00238	AWS CloudTrail - sensitive activity in KMS
MATCH-S00540	AWS CloudTrail Network Access Control List Deleted
MATCH-S00664	AWS CloudWatch Alarm Actions Disabled
MATCH-S00663	AWS CloudWatch Alarm Deletion
MATCH-S00662	AWS CloudWatch Anomaly Detector Deletion
MATCH-S00665	AWS CloudWatch Log Group Deletion
MATCH-S00661	AWS CloudWatch Log Stream Deletion
MATCH-S00671	AWS Config Recorder Deletion
MATCH-S00672	AWS Config Recorder Stopped
MATCH-S00670	AWS Config Service Tampering
OUTLIER-S00024	AWS DynamoDB Outlier in GetItem Events from User
MATCH-S00654	AWS ECS Cluster Deleted
MATCH-S00873	AWS EKS Cluster Configuration Updated
MATCH-S00716	AWS Image Creation
MATCH-S00717	AWS Image Deletion
THRESHOLD-S00106	AWS Image Discovery
MATCH-S00718	AWS Image Modification
MATCH-S00719	AWS Instance Creation
MATCH-S00720	AWS Instance Deletion
THRESHOLD-S00107	AWS Instance Discovery
MATCH-S00721	AWS Instance Modification
MATCH-S00874	AWS Lambda Function Recon
MATCH-S00679	AWS Route 53 Domain Registered
THRESHOLD-S00093	AWS Route 53 Reconnaissance
MATCH-S00677	AWS Route 53 Service Tampering
MATCH-S00680	AWS Route 53 TestDNSAnswer
MATCH-S00678	AWS Route 53 Traffic Policy Creation
OUTLIER-S00025	AWS S3 Outlier in PutObject Denied Events
MATCH-S00825	AWS Secrets Manager Enumeration
MATCH-S00875	AWS VPC FLow Log Deletion
MATCH-S00674	AWS WAF Access Control List Updated
THRESHOLD-S00092	AWS WAF Reconnaissance
MATCH-S00676	AWS WAF Rule Group Updated
MATCH-S00675	AWS WAF Rule Updated
MATCH-S00673	AWS WAF Service Tampering
MATCH-S00660	Anomalous AWS User Executed a Command on ECS Container
MATCH-S00685	Authentication Without MFA
THRESHOLD-S00096	Brute Force Attempt
MATCH-S00209	CVE-2021-44228 Log4j2 Java Library 0-Day Attempt
LEGACY-S00189	Crypto Miner HTTP User Agent
MATCH-S00592	Crypto Miner User Agent
MATCH-S00827	Exposed AWS SNS Topic Created
MATCH-S00823	Exposed AWS SQS Queue Created
FIRST-S00002	First Seen AWS API Call from User
FIRST-S00023	First Seen AWS API Gateway Enumeration by User
FIRST-S00084	First Seen AWS Bedrock API Call from User
FIRST-S00036	First Seen AWS EKS API Call via CloudTrail from User
FIRST-S00024	First Seen AWS SSM RunShellScript SendCommand From User
FIRST-S00003	First Seen AWS Secrets Manager API Call from User
FIRST-S00007	First Seen DynamoDB Enumeration from User
FIRST-S00086	First Seen IP Address Performing Trufflehog AWS Credential Verification
FIRST-S00081	First Seen Model ID in AWS Bedrock Put Entitlement by User
FIRST-S00085	First Seen Role Creating AWS Bedrock Agent
FIRST-S00022	First Seen S3 Bucket ACL Enumeration by User
FIRST-S00034	First Seen Session Token Granted to User from New IP
FIRST-S00029	First Seen Successful Authentication From Unexpected Country
FIRST-S00087	First Seen User Creating or Modifying EC2 Launch Template
FIRST-S00082	First Seen User Enumerating AWS Bedrock Models
LEGACY-S00048	Houdini/Iniduoh/njRAT User-Agent
THRESHOLD-S00097	Impossible Travel - Successful
THRESHOLD-S00098	Impossible Travel - Unsuccessful
MATCH-S00445	Known Ransomware File Extensions
MATCH-S00655	New Container Uploaded to AWS ECR
OUTLIER-S00019	Outlier in AWS Bedrock API Calls from User
OUTLIER-S00022	Outlier in AWS Bedrock Foundation Model Enumeration Calls from User
MATCH-S00683	Overly Permissive Chmod Command
THRESHOLD-S00095	Password Attack
MATCH-S00876	Potential AWS Security Credential Access via curl
MATCH-S00826	SSH Keys Added to EC2 Instance
OUTLIER-S00005	Spike in AWS API Call from User
OUTLIER-S00011	Spike in AWS AccessDenied Events by assumedrole
OUTLIER-S00001	Spike in Login Failures from a User
CHAIN-S00008	Successful Brute Force
AGGREGATION-S00003	Suspicious AWS Lambda Enumeration
LEGACY-S00182	Suspicious HTTP User-Agent
MATCH-S00840	Suspicious Lambda Function - IAM Policy Attached
MATCH-S00815	Threat Intel - Successful Authentication from Threat IP
MATCH-S00925	Trufflehog AWS Credential Verification Detected

Log Mappers

Log Mapper ID	Log Mapper Name
3f2bd88a-69b4-11ea-bc55-0242ac130003	CloudTrail - application-insights.amazonaws.com - ListApplications
9df7db8f-46a3-488a-af25-b34236b5303a	[CloudTrail - cloudtrail.amazonaws.com - Trail Change
ff0ade7d-8a2f-42c2-8250-69562a9e8daf	CloudTrail - cognito-idp.amazonaws.com - CreateUserPoolClient
915b12a0-69b0-11ea-bc55-0242ac130003	CloudTrail - controltower.amazonaws.com - CreateManagedAccount
1d8b8a41-b782-49f1-b12a-273caf8eb092	CloudTrail - ec2.amazonaws.com - All Network Events
6ca55368-0d59-4c92-b312-4b5940147be5	CloudTrail - ec2.amazonaws.com - BidEvictedEvent
1c8fe1c9-f66f-439d-af45-37840a4f781e	CloudTrail - ecr.amazonaws.com - PolicyExecutionEvent
10cc2415-7909-4610-a417-7e755696a0a5	CloudTrail - ecs.amazonaws.com - AwsApiCall-ExecuteCommand
2d163beb-e486-405f-a2a4-7134e25493aa	CloudTrail - elasticfilesystem.amazonaws.com - NewClientConnection
27a70508-29d3-4ff7-adb8-3e3759eb80b5	CloudTrail - iam.amazonaws.com - Policy Change
9ee2abd3-a781-4d7f-b1d1-c77a76b2c2a8	[CloudTrail - kms.amazonaws.com - DisableKey
fae41f89-52be-48fd-b061-19c11d743648	CloudTrail - kms.amazonaws.com - RotateKey
e0456134-e8b3-4b45-97f1-99d01a461d73	CloudTrail - lambda.amazonaws.com - Audit Change
1758b47a-933f-40f5-ae40-a591ecfd95ba	[CloudTrail - lambda.amazonaws.com - DeleteEventSourceMapping
6c9a5532-df91-47df-856c-c3b78b5a8fe3	CloudTrail - lambda.amazonaws.com - DeleteFunctionUrlConfig
71cd9b06-7b50-4f3f-9434-06eb6242dc32	CloudTrail - lambda.amazonaws.com - GetFunction
17dd4d8c-1b54-4556-b9d8-4124cb897c60	CloudTrail - lambda.amazonaws.com - GetLayerVersionPolicy
1ee636b5-3f41-4d0e-8923-d371a4c72adb	[CloudTrail - lambda.amazonaws.com - GetPolicy
d36c55c3-0ad0-4b7b-a4aa-779f0f9e1b8b	CloudTrail - lambda.amazonaws.com - ListEventSourceMappings
592fd1db-91d1-4305-a1f9-fe8e2c7457bf	CloudTrail - lambda.amazonaws.com - ListFunctions
2aa066b7-cb03-4827-96e5-6f37af056599	CloudTrail - lambda.amazonaws.com - Resource Access
db3ca20f-daa1-4fb6-b06c-ac72800f3cce	[CloudTrail - logs.amazonaws.com - DeleteDestination
970738c0-68fa-11ea-bc55-0242ac130003	CloudTrail - organizations.amazonaws.com - CreateAccountResult
974823f1-6cd9-4b4b-ad05-e09e94fdc92d	CloudTrail - s3.amazonaws.com - Bucket Change
c4caf910-d72e-47b6-9315-d17636c04ca2	CloudTrail - s3.amazonaws.com - GetBucketAcl
28e0fc3f-fe14-4f41-9c9a-1603f9eef9bd	[CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded
5406ec15-2203-460b-bd6e-ea8facf33082	CloudTrail - secretsmanager.amazonaws.com - SecretVersionDeletion
47b7d4bc-c062-460e-b39a-e28d171523e9	CloudTrail - signin.amazonaws.com - All AwsConsoleSignIn events
6e6d4334-69b1-11ea-bc55-0242ac130003	[CloudTrail - sso.amazonaws.com - Federate
2c6a02e4-89b0-4d30-b03d-45756f074266	CloudTrail Default Mapping

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

033624b0-218e-4dcb-b93f-0f1fb1806c56.md

033624b0-218e-4dcb-b93f-0f1fb1806c56.md

Products: Amazon AWS - CloudTrail

Rules

Log Mappers

Files

033624b0-218e-4dcb-b93f-0f1fb1806c56.md

Latest commit

History

033624b0-218e-4dcb-b93f-0f1fb1806c56.md

File metadata and controls

Products: Amazon AWS - CloudTrail

Rules

Log Mappers