Rules

Create Autoscaling Group without ELB Health Checks

Detect the creation of an autoscaling group associated with with a load balancer which is not using health checks. Tags: cloud, aws, aws_autoscaling, fsbp_aws_autoscaling.1

Update Autoscaling Group without ELB Health Checks

Detect the update of an autoscaling group associated with with a load balancer which is not using health checks. Tags: cloud, aws, aws_autoscaling, fsbp_aws_autoscaling.1

AWS Command Executed on Unused Region

Detect AWS command execution on unused regions. Tags: cloud, aws

CloudShell Environment Created

Detect creation of a new Cloud Shell environment. Tags: cloud, aws, aws_cloudshell

CloudTrail Trail Created

Detect creation of a new trail. Tags: cloud, aws, aws_cloudtrail, mitre_TA0009-collection, mitre_T1530-data-from-cloud-storage-object

CloudTrail Trail Deleted

Detect deletion of an existing trail. Tags: cloud, aws, aws_cloudtrail, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

CloudTrail Logfile Encryption Disabled

Detect disabling the CloudTrail logfile encryption. Tags: cloud, aws, aws_cloudtrail, cis_aws_2.7, fsbp_aws_cloudtrail.2

CloudTrail Logfile Validation Disabled

Detect disabling the CloudTrail logfile validation. Tags: cloud, aws, aws_cloudtrail, cis_aws_2.2

CloudTrail Logging Disabled

The CloudTrail logging has been disabled, this could be potentially malicious. Tags: cloud, aws, aws_cloudtrail, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

CloudTrail Multi-region Disabled

Detect disabling CloudTrail multi-region. Tags: cloud, aws, aws_cloudtrail, cis_aws_2.1, fsbp_aws_cloudtrail.1

CloudTrail Trail Updated

Detect update of an existing trail. Tags: cloud, aws, aws_cloudtrail, mitre_TA0009-collection, mitre_TA0040-impact, mitre_T1492-store-data-manipulation, mitre_T1530-data-from-cloud-storage-object

CloudWatch Delete Alarms

Detect deletion of an alarm. Tags: cloud, aws, aws_cloudwatch, mitre_TA0005-defense-evasion, mitre_T1066-indicator-removal-from-tools

CloudWatch Delete Log Group

Detect deletion of a CLoudWatch log group. Tags: cloud, aws, aws_cloudwatch, mitre_TA0040-impact, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools, mitre_T1485-data-destruction

CloudWatch Delete Log Stream

Detect deletion of a CLoudWatch log stream. Tags: cloud, aws, aws_cloudwatch, mitre_TA0040-impact, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools, mitre_T1485-data-destruction

Delete Config Rule

Detect deletion of a configuration rule. Tags: cloud, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Delete Configuration Aggregator

Detect deletion of the configuration aggregator. Tags: cloud, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Delete Configuration Recorder

Detect deletion of the configuration recorder. Tags: cloud, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Delete Conformance Pack

Detect deletion of a conformance pack. Tags: cloud, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Delete Delivery Channel

Detect deletion of the delivery channel. Tags: cloud, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Delete Organization Config Rule

Detect deletion of an organization config rule. Tags: cloud, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Delete Organization Conformance Pack

Detect deletion of an organization conformance pack. Tags: cloud, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Delete Remediation Configuration

Detect deletion of a remediation configuration. Tags: cloud, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Delete Retention Configuration

Detect deletion of the retention configuration with details about retention period (number of days) that AWS Config stores historical information. Tags: cloud, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Put Config Rule

Detect addition or update in an AWS Config rule. Tags: cloud, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Put Configuration Aggregator

Detect creation and update of the configuration aggregator with the selected source accounts and regions. Tags: cloud, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Put Conformance Pack

Detect creation or update of a conformance pack. Tags: cloud, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Put Delivery Channel

Detect creation of a delivery channel. Tags: cloud, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Put Organization Config Rule

Detect addition or update in an AWS Organization Config rule. Tags: cloud, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Put Organization Conformance Pack

Detect deployment of conformance packs across member accounts in an AWS Organization. Tags: cloud, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Put Remediation Configurations

Detect addition or update of the remediation configuration with a specific AWS Config rule with the selected target or action. Tags: cloud, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Put Remediation Exceptions

Detect addition of a new exception or updates an existing exception for a specific resource with a specific AWS Config rule. Tags: cloud, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Put Retention Configuration

Detect creation or update of the retention configuration with details about retention period (number of days) that AWS Config stores historical information. Tags: cloud, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Stop Configuration Recorder

Detect stoping the configuration recorder. Tags: cloud, aws, aws_config, cis_aws_2.5, fsbp_aws_config.1, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Console Login Without MFA

Detect a console login without MFA. Tags: cloud, aws, aws_console, cis_aws_3.2

Console Root Login Without MFA

Detect root console login without MFA. Tags: cloud, aws, aws_console, mitre_TA0040-impact, mitre_T1531-account-access-removal

Create Public DMS Replication Instance

Detect creation of a public DMS replication instance. Tags: cloud, aws, aws_dms, fsbp_aws_dms.1

EBS Volume Creation without Encryption at Rest

Detect creation of an EBS volume without encryption at rest enabled. Tags: cloud, aws, aws_ebs, fsbp_aws_ec2.3

Allocate New Elastic IP Address to AWS Account

Detect that a public IP address has been allocated to the account. Tags: cloud, aws, aws_ec2

Associate Elastic IP Address to AWS Network Interface

Detect that a public IP address has been associated with a network interface. Tags: cloud, aws, aws_ec2

Authorize Security Group Egress

Detect addition of the specified egress rules to a security group. Tags: cloud, aws, aws_ec2, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools

Authorize Security Group Ingress

Detect addition of the specified ingress rules to a security group. Tags: cloud, aws, aws_ec2, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools

Create Snapshot

Detect creation of an EBS volume snapshot and stores it in Amazon S3. Tags: cloud, aws, aws_ec2

Delete Subnet

Detect deletion of the specified subnet. Tags: cloud, aws, aws_ec2, mitre_TA0040-impact, mitre_T1485-data-destruction

Describe Instances

Detect description of the specified EC2 instances or all EC2 instances. Tags: cloud, aws, aws_ec2

Disable EBS Encryption by Default

Detect disabling EBS encryption by default for an account in the current region. Tags: cloud, aws, aws_ec2, mitre_TA0040-impact, mitre_T1492-store-data-manipulation

Make EBS Snapshot Public

Detect making public an EBS snapshot. Tags: cloud, aws, aws_ec2, fsbp_aws_ec2.1

Get Password Data

Detect retrieval of the encrypted administrator password for a running Windows instance. Tags: cloud, aws, aws_ec2, mitre_TA0003-persistence, mitre_T1108-redundant-access

Modify Image Attribute

Detect modification of the specified attribute of the specified AMI. Tags: cloud, aws, aws_ec2, mitre_TA0010-exfiltration

Modify Snapshot Attribute

Detect addition or removal of permission settings for the specified EC2 snapshot. Tags: cloud, aws, aws_ec2, mitre_TA0010-exfiltration, mitre_T1537-transfer-data-to-cloud-account

Replace Route

Detect replacing an existing route within a route table in a VPC. Tags: cloud, aws, aws_ec2, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools

Revoke Security Group Egress

Detect removal of the specified egress rules from a security group. Tags: cloud, aws, aws_ec2, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools

Revoke Security Group Ingress

Detect removal of the specified ingress rules from a security group. Tags: cloud, aws, aws_ec2, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools

Run Instances

Detect launching of a specified number of instances. Tags: cloud, aws, aws_ec2

Run Instances in Non-approved Region

Detect launching of a specified number of instances in a non-approved region. Tags: cloud, aws, aws_ec2

Run Instances with Non-standard Image

Detect launching of a specified number of instances with a non-standard image. Tags: cloud, aws, aws_ec2

Delete Cluster

Detect deletion of the specified cluster. Tags: cloud, aws, aws_ec2, mitre_TA0040-impact, mitre_T1485-data-destruction

Create Unencrypted EFS

Detect creation of an unencrypted elastic file system. Tags: cloud, aws, aws_efs

Elasticsearch Domain Creation without Encryption at Rest

Detect creation of an Elasticsearch domain without encryption at rest enabled. Tags: cloud, aws, aws_elasticsearch, fsbp_aws_es.1

Elasticsearch Domain Creation without VPC

Detect creation of an Elasticsearch domain without a VPC. Tags: cloud, aws, aws_elasticsearch

Create HTTP Target Group without SSL

Detect creation of HTTP target group not using SSL. Tags: cloud, aws, aws_elb

Create Internet-facing AWS Public Facing Load Balancer

Detect creation of an AWS internet-facing load balancer. Tags: cloud, aws, aws_elb

Delete Listener

Detect deletion of the specified listener. Tags: cloud, aws, aws_elb, mitre_TA0001-initial-access, mitre_T1190-exploit-public-facing-application

Modify Listener

Detect replacing the specified properties of the specified listener. Tags: cloud, aws, aws_elb, mitre_TA0001-initial-access, mitre_T1190-exploit-public-facing-application

Delete Detector

Detect deletion of an Amazon GuardDuty detector. Tags: cloud, aws, aws_guardduty, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Guard Duty Delete Members

Detect deletion of GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs. Tags: cloud, aws, aws_guardduty, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Disable GuardDuty

Detect disabling of GuardDuty. Tags: cloud, aws, aws_guardduty, fsbp_aws_guardduty.1

Guard Duty Disassociate from Master Account

Detect disassociation of the current GuardDuty member account from its administrator account. Tags: cloud, aws, aws_guardduty, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Guard Duty Disassociate Members

Detect disassociation of GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs. Tags: cloud, aws, aws_guardduty, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Stop Monitoring Members

Detect stopping GuardDuty monitoring for the specified member accounts. Tags: cloud, aws, aws_guardduty, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Logged in without Using MFA

Detect user login without using MFA (multi-factor authentication). Tags: cloud, aws, aws_iam

Password Recovery Requested

Detect AWS IAM password recovery requests. Tags: cloud, aws, aws_iam, mitre_TA0001-initial-access, mitre_T1078-valid-accounts

Put Inline Policy in Group to Allow Access to All Resources

Detect putting an inline policy in a group that allows access to all resources. Tags: cloud, aws, aws_iam

Create Access Key for Root User

Detect creation of an access key for root. Tags: cloud, aws, aws_iam, cis_aws_1.12, fsbp_aws_iam.4, mitre_TA0001-initial-access, mitre_T1078-valid-accounts

Deactivate Hardware MFA for Root User

Detect deactivating hardware MFA configuration for root. Tags: cloud, aws, aws_iam, cis_aws_1.14, fsbp_aws_iam.6

Deactivate MFA for Root User

Detect deactivating MFA configuration for root. Tags: cloud, aws, aws_iam, cis_aws_1.13

Deactivate Virtual MFA for Root User

Detect deactivating virtual MFA configuration for root. Tags: cloud, aws, aws_iam, cis_aws_1.13

Delete Virtual MFA for Root User

Detect deleting MFA configuration for root. Tags: cloud, aws, aws_iam, cis_aws_1.13, pcs_dss_iam.5

Root User Executing AWS Command

Detect root user executing AWS command. Tags: cloud, aws, aws_iam, cis_aws_1.1

Add AWS User to Group

Detect adding an user to a group. Tags: cloud, aws, aws_iam

Attach Administrator Policy

Detect attaching an administrator policy to a user. Tags: cloud, aws, aws_iam

Attach IAM Policy to User

Detect attaching an IAM policy to a user. Tags: cloud, aws, aws_iam, cis_aws_1.16, fsbp_aws_iam.2

Create Group

Detect creation of a new user group. Tags: cloud, aws, aws_iam, mitre_TA0003-persistence, mitre_T1108-redundant-access

Create Security Group Rule Allowing SSH Ingress

Detect creation of security group rule allowing SSH ingress. Tags: cloud, aws, aws_iam

Create AWS user

Detect creation of a new AWS user. Tags: cloud, aws, aws_iam, mitre_TA0003-persistence, mitre_T1136-create-account

Create IAM Policy that Allows All

Detect creation of IAM policy that allows all. Tags: cloud, aws, aws_iam, cis_aws_1.22, fsbp_aws_iam.1

Deactivate MFA for User Access

Detect deactivating MFA configuration for user access. Tags: cloud, aws, aws_iam, cis_aws_1.2, fsbp_aws_iam.5

Delete Group

Detect deletion of a user group. Tags: cloud, aws, aws_iam, mitre_TA0040-impact, mitre_T1531-account-access-removal

Put IAM Inline Policy to User

Detect putting an IAM inline policy to an user. Tags: cloud, aws, aws_iam, cis_aws_1.16, fsbp_aws_iam.2

Update Account Password Policy Not Expiring

Detect updating password policy not expiring at all. Tags: cloud, aws, aws_iam, cis_aws_1.11, fsbp_aws_iam.7

Update Account Password Policy Expiring in More Than 90 Days

Detect updating password policy expiring in more than 90 days. Tags: cloud, aws, aws_iam, cis_aws_1.11, fsbp_aws_iam.7

Update Account Password Policy Not Preventing Reuse of Last 24 Passwords

Detect updating password policy not preventing reuse of the last 24 passwords. Tags: cloud, aws, aws_iam, cis_aws_1.10, fsbp_aws_iam.7

Update Account Password Policy Not Preventing Reuse of Last 4 Passwords

Detect updating password policy not preventing reuse of the last 4 passwords. Tags: cloud, aws, aws_iam

Update Account Password Policy Not Requiring 14 Characters

Detect updating password policy not requiring a minimum length of 14 characters. Tags: cloud, aws, aws_iam, cis_aws_1.9, fsbp_aws_iam.7

Update Account Password Policy Not Requiring 7 Characters

Detect updating password policy not requiring a minimum length of 7 characters. Tags: cloud, aws, aws_iam

Update Account Password Policy Not Requiring Lowercase

Detect updating password policy not requiring the use of an lowercase letter Tags: cloud, aws, aws_iam, cis_aws_1.6, fsbp_aws_iam.7

Update Account Password Policy Not Requiring Number

Detect updating password policy not requiring the use of a number Tags: cloud, aws, aws_iam, cis_aws_1.8, fsbp_aws_iam.7

Update Account Password Policy Not Requiring Symbol

Detect updating password policy not requiring the use of a symbol Tags: cloud, aws, aws_iam, cis_aws_1.7, fsbp_aws_iam.7

Update Account Password Policy Not Requiring Uppercase

Detect updating password policy not requiring the use of an uppercase letter Tags: cloud, aws, aws_iam, cis_aws_1.5, fsbp_aws_iam.7

Update Assume Role Policy

Detect modifying a role. Tags: cloud, aws, aws_iam, mitre_TA0006-credential-access, mitre_T1110-brute-force

Create Customer Master Key

Detect creation of a new CMK (with rotation disabled). Tags: cloud, aws, aws_kms

Disable CMK Rotation

Detect disabling of a customer master key’s rotation. Tags: cloud, aws, aws_kms

Disable Key

Detect disabling a customer master key (CMK), thereby preventing its use for cryptographic operations. Tags: cloud, aws, aws_kms

Remove KMS Key Rotation

Detect removal of KMS key rotation. Tags: cloud, aws, aws_kms

Schedule Key Deletion

Detect scheduling of the deletion of a customer master key. Tags: cloud, aws, aws_kms

Create Lambda Function

Detect creation of a Lambda function. Tags: cloud, aws, aws_lambda, mitre_TA0003-persistence

Create Lambda Function Not Using Latest Runtime

Detect creation of a Lambda function using and old or deprecated runtime. Tags: cloud, aws, aws_lambda, fsbp_aws_lambda.2

Dissociate Lambda Function from VPC

Detect dissociation of a Lambda function from a VPC. Tags: cloud, aws, aws_lambda

Update Lambda Function Code

Detect updates to a Lambda function code. Tags: cloud, aws, aws_lambda, mitre_TA0003-persistence, mitre_T1496-resource-hijacking

Update Lambda Function Configuration

Detect updates to a Lambda function configuration. Tags: cloud, aws, aws_lambda, mitre_TA0003-persistence, mitre_T1496-resource-hijacking

Authorize DB Security Group Ingress

Detect enabling ingress to a DBSecurityGroup using one of two forms of authorization. Tags: cloud, aws, aws_rds

Create DB Cluster

Detect creation of a database cluster. Tags: cloud, aws, aws_rds, mitre_TA0003-persistence, mitre_T1108-redundant-access

Create DB Security Group

Detect creation of a database security group. Tags: cloud, aws, aws_rds

Create Global Cluster

Detect creation of a global cluster. Tags: cloud, aws, aws_rds, mitre_TA0003-persistence, mitre_T1108-redundant-access

Delete DB Cluster

Detect deletion of a database cluster. Tags: cloud, aws, aws_rds, mitre_TA0040-impact, mitre_T1485-data-destruction

Delete DB Security Group

Detect deletion of a database security group. Tags: cloud, aws, aws_rds

Delete DB Snapshot

Detect deletion of a database snapshot. Tags: cloud, aws, aws_rds, mitre_TA0040-impact, mitre_T1485-data-destruction

Make RDS DB Instance Public

Detect making public an RDS DB instance. Tags: cloud, aws, aws_rds

Make RDS Snapshot Public

Detect making public an RDS snapshot. Tags: cloud, aws, aws_rds

Modify RDS Snapshot Attribute

Detect modification of an RDS snapshot attribute. Tags: cloud, aws, aws_rds, mitre_TA0010-exfitration, mitre_T1537-transfer-data-to-cloud-account

Revoke DB Security Group Ingress

Detect revocation ingress from a DBSecurityGroup for previously authorized IP ranges or EC2 or VPC Security Groups. Tags: cloud, aws, aws_rds

Stop DB Cluster

Detect stopping of a database cluster. Tags: cloud, aws, aws_rds, mitre_TA0040-impact, mitre_T1489-service-stop

Stop DB Instance

Detect stopping of a database instance. Tags: cloud, aws, aws_rds, mitre_TA0040-impact, mitre_T1489-service-stop

Associate VPC with Hosted Zone

Detect association of an Amazon VPC with a private hosted zone. Tags: cloud, aws, aws_route53

Change Resource Record Sets

Detect creation, changes, or deletion of a resource record set. Tags: cloud, aws, aws_route53

Register Domain

Detect registry of a new domain. Tags: cloud, aws, aws_route53

Delete Bucket CORS

Detect deletion of the cors configuration for a bucket. Tags: cloud, aws, aws_s3, mitre_TA0005-defense-evasion, mitre_T1070-indicator-removal-on-host

Delete Bucket Encryption

Detect deleting configuration to use encryption for bucket storage. Tags: cloud, aws, aws_s3, mitre_TA0005-defense-evasion, mitre_T1070-indicator-removal-on-host

Delete Bucket Lifecycle

Detect deletion of the lifecycle configuration from the specified bucket. Tags: cloud, aws, aws_s3, mitre_TA0005-defense-evasion, mitre_T1070-indicator-removal-on-host

Delete Bucket Policy

Detect deletion of the policy of a specified bucket. Tags: cloud, aws, aws_s3, mitre_TA0005-defense-evasion, mitre_T1070-indicator-removal-on-host

Delete Bucket Public Access Block

Detect deleting blocking public access to bucket. Tags: cloud, aws, aws_s3

Delete Bucket Replication

Detect deletion of the replication configuration from the bucket. Tags: cloud, aws, aws_s3, mitre_TA0005-defense-evasion, mitre_T1070-indicator-removal-on-host

List Buckets

Detect listing of all S3 buckets. Tags: cloud, aws, aws_s3, mitre_TA0007-discovery, mitre_T1083-file-and-directory-discovery

Put Bucket ACL

Detect setting the permissions on an existing bucket using access control lists. Tags: cloud, aws, aws_s3, mitre_TA0005-defense-evasion, mitre_T1070-indicator-removal-on-host

Put Bucket CORS

Detect setting the cors configuration for a bucket. Tags: cloud, aws, aws_s3, mitre_TA0005-defense-evasion, mitre_T1070-indicator-removal-on-host

Put Bucket Lifecycle

Detect creation or modification of a lifecycle configuration for the bucket [DEPRECATED use Put Bucket Lifecycle Configuration instead]. Tags: cloud, aws, aws_s3, mitre_TA0005-defense-evasion, mitre_T1070-indicator-removal-on-host

Put Bucket Policy

Detect applying an Amazon S3 bucket policy to an Amazon S3 bucket. Tags: cloud, aws, aws_s3, mitre_TA0005-defense-evasion, mitre_T1070-indicator-removal-on-host

Put Bucket Replication

Detect creation of a replication configuration or the replacement of an existing one.. Tags: cloud, aws, aws_s3, mitre_TA0005-defense-evasion, mitre_T1070-indicator-removal-on-host

Create SageMaker Notebook Instance with Direct Internet Access

Detect creation of a SageMaker notebook instance with direct internet access. Tags: cloud, aws, aws_sagemaker

Get Secret Value

Detect retrieval of the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content. Tags: cloud, aws, aws_secretsmanager, mitre_TA0006-credential-access, mitre_T1528-steal-application-access-token

Batch Disable Standards

Detect disabling of the standards specified by the provided StandardsSubscriptionArns. Tags: cloud, aws, aws_securityhub

Delete Action Target

Detect deletion of a custom action target from Security Hub. Tags: cloud, aws, aws_securityhub, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Security Hub Delete Members

Detect deletion the specified member accounts from Security Hub. Tags: cloud, aws, aws_securityhub, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Disable Security Hub

Detect disabling the Security Hub in the current region. Tags: cloud, aws, aws_securityhub, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Disable Import Findings for Product

Detect disabling of the integration of the specified product with Security Hub. Tags: cloud, aws, aws_securityhub, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Security Hub Disassociate From Master Account

Detect disassociation of the current Security Hub member account from the associated master account. Tags: cloud, aws, aws_securityhub, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Security Hub Disassociate Members

Detect disassociation of the current Security Hub member account from the associated master account. Tags: cloud, aws, aws_securityhub, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Update Action Target

Detect updating the name and description of a custom action target in Security Hub. Tags: cloud, aws, aws_securityhub, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Update Standards Control

Detect enabling or disabling of a standard control. Tags: cloud, aws, aws_securityhub, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Accept VPC Peering Connection

Detect accepting an VPC peering connection. Tags: cloud, aws, aws_vpc, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools

Attach Internet Gateway

Detect attaching an internet gateway. Tags: cloud, aws, aws_vpc, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools

Create a Network ACL

Detect creating a network ACL. Tags: cloud, aws, aws_vpc, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools

Create a Network ACL Entry

Detect creating a network ACL entry. Tags: cloud, aws, aws_vpc, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools

Create VPC Route

Detect creating an VPC route. Tags: cloud, aws, aws_vpc, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools

Create VPC Peering Connection

Detect creating an VPC peering connection. Tags: cloud, aws, aws_vpc, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools

Create VPC with Default Security Group

Detect creation of a new VPC with default security group. Tags: cloud, aws, aws_vpc, cis_aws_4.3, fsbp_aws_ec2.2

Create VPC with No Flow Log

Detect creation of a new VPC with no flow log. Tags: cloud, aws, aws_vpc, cis_aws_2.9, fsbp_aws_2ec.6

Delete VPC Flow Log

Detect deleting VPC flow log. Tags: cloud, aws, aws_vpc, cis_aws_2.9, fsbp_aws_ec2.6, mitre_TA0005-defense-evasion, mitre_T1066-indicator-removal-from-tools

Delete a Network ACL

Detect deleting a network ACL. Tags: cloud, aws, aws_vpc, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools

Delete a Network ACL Entry

Detect deletion of a network ACL entry. Tags: cloud, aws, aws_vpc, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools

Replace a Network ACL Association

Detect replacement of a network ACL association. Tags: cloud, aws, aws_vpc, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools

Replace a Network ACL Entry

Detect replacement of a network ACL entry. Tags: cloud, aws, aws_vpc, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools

Delete WAF Rule Group

Detect deleting a WAF rule group. Tags: cloud, aws, aws_waf, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Delete Web ACL

Detect deleting a web ACL. Tags: cloud, aws, aws_waf, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools