Quick jump to rules filtered by AWS Services:

Autoscaling

Create Autoscaling Group without ELB Health Checks
Detect the creation of an autoscaling group associated with with a load balancer which is not using health checks.
Tags:
cloud, source=cloudtrail, aws, aws_autoscaling, aws_fsbp_autoscaling.1
Update Autoscaling Group without ELB Health Checks
Detect the update of an autoscaling group associated with with a load balancer which is not using health checks.
Tags:
cloud, source=cloudtrail, aws, aws_autoscaling, aws_fsbp_autoscaling.1

AWS

AWS Command Executed on Unused Region
Detect AWS command execution on unused regions.
Tags:
cloud, source=cloudtrail, aws

CloudTrail

CloudTrail Trail Created
Detect creation of a new trail.
Tags:
cloud, source=cloudtrail, aws, aws_cloudtrail, mitre_TA0009-collection, mitre_T1530-data-from-cloud-storage-object
CloudTrail Trail Deleted
Detect deletion of an existing trail.
Tags:
cloud, source=cloudtrail, aws, aws_cloudtrail, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
CloudTrail Logfile Encryption Disabled
Detect disabling the CloudTrail logfile encryption.
Tags:
cloud, source=cloudtrail, aws, aws_cloudtrail, aws_fsbp_cloudtrail.2
CloudTrail Logfile Validation Disabled
Detect disabling the CloudTrail logfile validation.
Tags:
cloud, source=cloudtrail, aws, aws_cloudtrail
CloudTrail Logging Disabled
The CloudTrail logging has been disabled, this could be potentially malicious.
Tags:
cloud, source=cloudtrail, aws, aws_cloudtrail, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
CloudTrail Multi-region Disabled
Detect disabling CloudTrail multi-region.
Tags:
cloud, source=cloudtrail, aws, aws_cloudtrail, aws_fsbp_cloudtrail.1
CloudTrail Trail Updated
Detect update of an existing trail.
Tags:
cloud, source=cloudtrail, aws, aws_cloudtrail, mitre_TA0009-collection, mitre_TA0040-impact, mitre_T1492-store-data-manipulation, mitre_T1530-data-from-cloud-storage-object

CloudWatch

CloudWatch Delete Alarms
Detect deletion of an alarm.
Tags:
cloud, source=cloudtrail, aws, aws_cloudwatch, mitre_TA0005-defense-evasion, mitre_T1066-indicator-removal-from-tools
CloudWatch Delete Log Group
Detect deletion of a CLoudWatch log group.
Tags:
cloud, source=cloudtrail, aws, aws_cloudwatch, mitre_TA0040-impact, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools, mitre_T1485-data-destruction
CloudWatch Delete Log Stream
Detect deletion of a CLoudWatch log stream.
Tags:
cloud, source=cloudtrail, aws, aws_cloudwatch, mitre_TA0040-impact, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools, mitre_T1485-data-destruction

Config

Delete Config Rule
Detect deletion of a configuration rule.
Tags:
cloud, source=cloudtrail, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Delete Configuration Aggregator
Detect deletion of the configuration aggregator.
Tags:
cloud, source=cloudtrail, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Delete Configuration Recorder
Detect deletion of the configuration recorder.
Tags:
cloud, source=cloudtrail, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Delete Conformance Pack
Detect deletion of a conformance pack.
Tags:
cloud, source=cloudtrail, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Delete Delivery Channel
Detect deletion of the delivery channel.
Tags:
cloud, source=cloudtrail, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Delete Organization Config Rule
Detect deletion of an organization config rule.
Tags:
cloud, source=cloudtrail, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Delete Organization Conformance Pack
Detect deletion of an organization conformance pack.
Tags:
cloud, source=cloudtrail, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Delete Remediation Configuration
Detect deletion of a remediation configuration.
Tags:
cloud, source=cloudtrail, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Delete Retention Configuration
Detect deletion of the retention configuration with details about retention period (number of days) that AWS Config stores historical information.
Tags:
cloud, source=cloudtrail, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Put Config Rule
Detect addition or update in an AWS Config rule.
Tags:
cloud, source=cloudtrail, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Put Configuration Aggregator
Detect creation and update of the configuration aggregator with the selected source accounts and regions.
Tags:
cloud, source=cloudtrail, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Put Conformance Pack
Detect creation or update of a conformance pack.
Tags:
cloud, source=cloudtrail, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Put Delivery Channel
Detect creation of a delivery channel.
Tags:
cloud, source=cloudtrail, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Put Organization Config Rule
Detect addition or update in an AWS Organization Config rule.
Tags:
cloud, source=cloudtrail, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Put Organization Conformance Pack
Detect deployment of conformance packs across member accounts in an AWS Organization.
Tags:
cloud, source=cloudtrail, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Put Remediation Configurations
Detect addition or update of the remediation configuration with a specific AWS Config rule with the selected target or action.
Tags:
cloud, source=cloudtrail, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Put Remediation Exceptions
Detect addition of a new exception or updates an existing exception for a specific resource with a specific AWS Config rule.
Tags:
cloud, source=cloudtrail, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Put Retention Configuration
Detect creation or update of the retention configuration with details about retention period (number of days) that AWS Config stores historical information.
Tags:
cloud, source=cloudtrail, aws, aws_config, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Stop Configuration Recorder
Detect stoping the configuration recorder.
Tags:
cloud, source=cloudtrail, aws, aws_config, aws_fsbp_config.1, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

Console

Console Login Without MFA
Detect a console login without MFA.
Tags:
cloud, source=cloudtrail, aws, aws_console
Console Root Login Without MFA
Detect root console login without MFA.
Tags:
cloud, source=cloudtrail, aws, aws_console, mitre_TA0040-impact, mitre_T1531-account-access-removal

DMS

Create Public DMS Replication Instance
Detect creation of a public DMS replication instance.
Tags:
cloud, source=cloudtrail, aws, aws_dms, aws_fsbp_dms.1

EBS

EBS Volume Creation without Encryption at Rest
Detect creation of an EBS volume without encryption at rest enabled.
Tags:
cloud, source=cloudtrail, aws, aws_ebs, aws_fsbp_ec2.3

EC2

Allocate New Elastic IP Address to AWS Account
Detect that a public IP address has been allocated to the account.
Tags:
cloud, source=cloudtrail, aws, aws_ec2
Associate Elastic IP Address to AWS Network Interface
Detect that a public IP address has been associated with a network interface.
Tags:
cloud, source=cloudtrail, aws, aws_ec2
Authorize Security Group Egress
Detect addition of the specified egress rules to a security group.
Tags:
cloud, source=cloudtrail, aws, aws_ec2, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools
Authorize Security Group Ingress
Detect addition of the specified ingress rules to a security group.
Tags:
cloud, source=cloudtrail, aws, aws_ec2, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools
Create Snapshot
Detect creation of an EBS volume snapshot and stores it in Amazon S3.
Tags:
cloud, source=cloudtrail, aws, aws_ec2
Delete Subnet
Detect deletion of the specified subnet.
Tags:
cloud, source=cloudtrail, aws, aws_ec2, mitre_TA0040-impact, mitre_T1485-data-destruction
Describe Instances
Detect description of the specified EC2 instances or all EC2 instances.
Tags:
cloud, source=cloudtrail, aws, aws_ec2
Disable EBS Encryption by Default
Detect disabling EBS encryption by default for an account in the current region.
Tags:
cloud, source=cloudtrail, aws, aws_ec2, mitre_TA0040-impact, mitre_T1492-store-data-manipulation
Make EBS Snapshot Public
Detect making public an EBS snapshot.
Tags:
cloud, source=cloudtrail, aws, aws_ec2, aws_fsbp_ec2.1
Get Password Data
Detect retrieval of the encrypted administrator password for a running Windows instance.
Tags:
cloud, source=cloudtrail, aws, aws_ec2, mitre_TA0003-persistence, mitre_T1108-redundant-access
Modify Image Attribute
Detect modification of the specified attribute of the specified AMI.
Tags:
cloud, source=cloudtrail, aws, aws_ec2, mitre_TA0010-exfiltration
Modify Snapshot Attribute
Detect addition or removal of permission settings for the specified EC2 snapshot.
Tags:
cloud, source=cloudtrail, aws, aws_ec2, mitre_TA0010-exfiltration, mitre_T1537-transfer-data-to-cloud-account
Replace Route
Detect replacing an existing route within a route table in a VPC.
Tags:
cloud, source=cloudtrail, aws, aws_ec2, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools
Revoke Security Group Egress
Detect removal of the specified egress rules from a security group.
Tags:
cloud, source=cloudtrail, aws, aws_ec2, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools
Revoke Security Group Ingress
Detect removal of the specified ingress rules from a security group.
Tags:
cloud, source=cloudtrail, aws, aws_ec2, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools
Run Instances in Non-approved Region
Detect launching of a specified number of instances in a non-approved region.
Tags:
cloud, source=cloudtrail, aws, aws_ec2
Run Instances with Non-standard Image
Detect launching of a specified number of instances with a non-standard image.
Tags:
cloud, source=cloudtrail, aws, aws_ec2
Run Instances
Detect launching of a specified number of instances.
Tags:
cloud, source=cloudtrail, aws, aws_ec2
Delete Cluster
Detect deletion of the specified cluster.
Tags:
cloud, source=cloudtrail, aws, aws_ec2, mitre_TA0040-impact, mitre_T1485-data-destruction

EFS

Create Unencrypted EFS
Detect creation of an unencrypted elastic file system.
Tags:
cloud, source=cloudtrail, aws, aws_efs

Elasticsearch

Elasticsearch Domain Creation without Encryption at Rest
Detect creation of an Elasticsearch domain without encryption at rest enabled.
Tags:
cloud, source=cloudtrail, aws, aws_elasticsearch, aws_fsbp_es.1
Elasticsearch Domain Creation without VPC
Detect creation of an Elasticsearch domain without a VPC.
Tags:
cloud, source=cloudtrail, aws, aws_elasticsearch

ELB

Create HTTP Target Group without SSL
Detect creation of HTTP target group not using SSL.
Tags:
cloud, source=cloudtrail, aws, aws_elb
Create Internet-facing AWS Public Facing Load Balancer
Detect creation of an AWS internet-facing load balancer.
Tags:
cloud, source=cloudtrail, aws, aws_elb
Delete Listener
Detect deletion of the specified listener.
Tags:
cloud, source=cloudtrail, aws, aws_elb, mitre_TA0001-initial-access, mitre_T1190-exploit-public-facing-application
Modify Listener
Detect replacing the specified properties of the specified listener.
Tags:
cloud, source=cloudtrail, aws, aws_elb, mitre_TA0001-initial-access, mitre_T1190-exploit-public-facing-application

GuardDuty

Delete Detector
Detect deletion of an Amazon GuardDuty detector.
Tags:
cloud, source=cloudtrail, aws, aws_guardduty, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Guard Duty Delete Members
Detect deletion of GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.
Tags:
cloud, source=cloudtrail, aws, aws_guardduty, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Disable GuardDuty
Detect disabling of GuardDuty.
Tags:
cloud, source=cloudtrail, aws, aws_guardduty, aws_fsbp_guardduty.1
Guard Duty Disassociate from Master Account
Detect disassociation of the current GuardDuty member account from its administrator account.
Tags:
cloud, source=cloudtrail, aws, aws_guardduty, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Guard Duty Disassociate Members
Detect disassociation of GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.
Tags:
cloud, source=cloudtrail, aws, aws_guardduty, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Stop Monitoring Members
Detect stopping GuardDuty monitoring for the specified member accounts.
Tags:
cloud, source=cloudtrail, aws, aws_guardduty, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

IAM

Logged in without Using MFA
Detect user login without using MFA (multi-factor authentication).
Tags:
cloud, source=cloudtrail, aws, aws_iam
Password Recovery Requested
Detect AWS IAM password recovery requests.
Tags:
cloud, source=cloudtrail, aws, aws_iam, mitre_TA0001-initial-access, mitre_T1078-valid-accounts
Put Inline Policy in Group to Allow Access to All Resources
Detect putting an inline policy in a group that allows access to all resources.
Tags:
cloud, source=cloudtrail, aws, aws_iam
Create Access Key for Root User
Detect creation of an access key for root.
Tags:
cloud, source=cloudtrail, aws, aws_iam, aws_fsbp_iam.4, mitre_TA0001-initial-access, mitre_T1078-valid-accounts
Deactivate Hardware MFA for Root User
Detect deactivating hardware MFA configuration for root.
Tags:
cloud, source=cloudtrail, aws, aws_iam, aws_fsbp_iam.6
Deactivate MFA for Root User
Detect deactivating MFA configuration for root.
Tags:
cloud, source=cloudtrail, aws, aws_iam
Deactivate Virtual MFA for Root User
Detect deactivating virtual MFA configuration for root.
Tags:
cloud, source=cloudtrail, aws, aws_iam
Delete Virtual MFA for Root User
Detect deleting MFA configuration for root.
Tags:
cloud, source=cloudtrail, aws, aws_iam, pcs_dss_iam.5
Root User Executing AWS Command
Detect root user executing AWS command.
Tags:
cloud, source=cloudtrail, aws, aws_iam
Add AWS User to Group
Detect adding an user to a group.
Tags:
cloud, source=cloudtrail, aws, aws_iam
Attach Administrator Policy
Detect attaching an administrator policy to a user.
Tags:
cloud, source=cloudtrail, aws, aws_iam
Attach IAM Policy to User
Detect attaching an IAM policy to a user.
Tags:
cloud, source=cloudtrail, aws, aws_iam, aws_fsbp_iam.2
Create Group
Detect creation of a new user group.
Tags:
cloud, source=cloudtrail, aws, aws_iam, mitre_TA0003-persistence, mitre_T1108-redundant-access
Create Security Group Rule Allowing SSH Ingress
Detect creation of security group rule allowing SSH ingress.
Tags:
cloud, source=cloudtrail, aws, aws_iam
Create AWS user
Detect creation of a new AWS user.
Tags:
cloud, source=cloudtrail, aws, aws_iam, mitre_TA0003-persistence, mitre_T1136-create-account
Create IAM Policy that Allows All
Detect creation of IAM policy that allows all.
Tags:
cloud, source=cloudtrail, aws, aws_iam, aws_fsbp_iam.1
Deactivate MFA for User Access
Detect deactivating MFA configuration for user access.
Tags:
cloud, source=cloudtrail, aws, aws_iam, aws_fsbp_iam.5
Delete Group
Detect deletion of a user group.
Tags:
cloud, source=cloudtrail, aws, aws_iam, mitre_TA0040-impact, mitre_T1531-account-access-removal
Put IAM Inline Policy to User
Detect putting an IAM inline policy to an user.
Tags:
cloud, source=cloudtrail, aws, aws_iam, aws_pci_1.16, aws_fsbp_iam.2
Update Account Password Policy Not Expiring
Detect updating password policy not expiring at all.
Tags:
cloud, source=cloudtrail, aws, aws_iam, aws_fsbp_iam.7
Update Account Password Policy Expiring in More Than 90 Days
Detect updating password policy expiring in more than 90 days.
Tags:
cloud, source=cloudtrail, aws, aws_iam, aws_fsbp_iam.7
Update Account Password Policy Not Preventing Reuse of Last 24 Passwords
Detect updating password policy not preventing reuse of the last 24 passwords.
Tags:
cloud, source=cloudtrail, aws, aws_iam, aws_fsbp_iam.7
Update Account Password Policy Not Preventing Reuse of Last 4 Passwords
Detect updating password policy not preventing reuse of the last 4 passwords.
Tags:
cloud, source=cloudtrail, aws, aws_iam
Update Account Password Policy Not Requiring 14 Characters
Detect updating password policy not requiring a minimum length of 14 characters.
Tags:
cloud, source=cloudtrail, aws, aws_iam, aws_fsbp_iam.7
Update Account Password Policy Not Requiring 7 Characters
Detect updating password policy not requiring a minimum length of 7 characters.
Tags:
cloud, source=cloudtrail, aws, aws_iam
Update Account Password Policy Not Requiring Lowercase
Detect updating password policy not requiring the use of an lowercase letter
Tags:
cloud, source=cloudtrail, aws, aws_iam, aws_fsbp_iam.7
Update Account Password Policy Not Requiring Number
Detect updating password policy not requiring the use of a number
Tags:
cloud, source=cloudtrail, aws, aws_iam, aws_fsbp_iam.7
Update Account Password Policy Not Requiring Symbol
Detect updating password policy not requiring the use of a symbol
Tags:
cloud, source=cloudtrail, aws, aws_iam, aws_fsbp_iam.7
Update Account Password Policy Not Requiring Uppercase
Detect updating password policy not requiring the use of an uppercase letter
Tags:
cloud, source=cloudtrail, aws, aws_iam, aws_fsbp_iam.7
Update Assume Role Policy
Detect modifying a role.
Tags:
cloud, source=cloudtrail, aws, aws_iam, mitre_TA0006-credential-access, mitre_T1110-brute-force

KMS

Create Customer Master Key
Detect creation of a new CMK (with rotation disabled).
Tags:
cloud, source=cloudtrail, aws, aws_kms
Disable CMK Rotation
Detect disabling of a customer master key’s rotation.
Tags:
cloud, source=cloudtrail, aws, aws_kms
Disable Key
Detect disabling a customer master key (CMK), thereby preventing its use for cryptographic operations.
Tags:
cloud, source=cloudtrail, aws, aws_kms
Remove KMS Key Rotation
Detect removal of KMS key rotation.
Tags:
cloud, source=cloudtrail, aws, aws_kms
Schedule Key Deletion
Detect scheduling of the deletion of a customer master key.
Tags:
cloud, source=cloudtrail, aws, aws_kms

Lambda

Create Lambda Function Not Using Latest Runtime
Detect creation of a Lambda function using and old or deprecated runtime.
Tags:
cloud, source=cloudtrail, aws, aws_lambda, aws_fsbp_lambda.2
Create Lambda Function
Detect creation of a Lambda function.
Tags:
cloud, source=cloudtrail, aws, aws_lambda, mitre_TA0003-persistence
Dissociate Lambda Function from VPC
Detect dissociation of a Lambda function from a VPC.
Tags:
cloud, source=cloudtrail, aws, aws_lambda
Update Lambda Function Code
Detect updates to a Lambda function code.
Tags:
cloud, source=cloudtrail, aws, aws_lambda, mitre_TA0003-persistence, mitre_T1496-resource-hijacking
Update Lambda Function Configuration
Detect updates to a Lambda function configuration.
Tags:
cloud, source=cloudtrail, aws, aws_lambda, mitre_TA0003-persistence, mitre_T1496-resource-hijacking

RDS

Authorize DB Security Group Ingress
Detect enabling ingress to a DBSecurityGroup using one of two forms of authorization.
Tags:
cloud, source=cloudtrail, aws, aws_rds
Create DB Cluster
Detect creation of a database cluster.
Tags:
cloud, source=cloudtrail, aws, aws_rds, mitre_TA0003-persistence, mitre_T1108-redundant-access
Create DB Security Group
Detect creation of a database security group.
Tags:
cloud, source=cloudtrail, aws, aws_rds
Create Global Cluster
Detect creation of a global cluster.
Tags:
cloud, source=cloudtrail, aws, aws_rds, mitre_TA0003-persistence, mitre_T1108-redundant-access
Delete DB Cluster
Detect deletion of a database cluster.
Tags:
cloud, source=cloudtrail, aws, aws_rds, mitre_TA0040-impact, mitre_T1485-data-destruction
Delete DB Security Group
Detect deletion of a database security group.
Tags:
cloud, source=cloudtrail, aws, aws_rds
Delete DB Snapshot
Detect deletion of a database snapshot.
Tags:
cloud, source=cloudtrail, aws, aws_rds, mitre_TA0040-impact, mitre_T1485-data-destruction
Make RDS DB Instance Public
Detect making public an RDS DB instance.
Tags:
cloud, source=cloudtrail, aws, aws_rds
Make RDS Snapshot Public
Detect making public an RDS snapshot.
Tags:
cloud, source=cloudtrail, aws, aws_rds
Modify RDS Snapshot Attribute
Detect modification of an RDS snapshot attribute.
Tags:
cloud, source=cloudtrail, aws, aws_rds, mitre_TA0010-exfitration, mitre_T1537-transfer-data-to-cloud-account
Revoke DB Security Group Ingress
Detect revocation ingress from a DBSecurityGroup for previously authorized IP ranges or EC2 or VPC Security Groups.
Tags:
cloud, source=cloudtrail, aws, aws_rds
Stop DB Cluster
Detect stopping of a database cluster.
Tags:
cloud, source=cloudtrail, aws, aws_rds, mitre_TA0040-impact, mitre_T1489-service-stop
Stop DB Instance
Detect stopping of a database instance.
Tags:
cloud, source=cloudtrail, aws, aws_rds, mitre_TA0040-impact, mitre_T1489-service-stop

Route53

Associate VPC with Hosted Zone
Detect association of an Amazon VPC with a private hosted zone.
Tags:
cloud, source=cloudtrail, aws, aws_route53
Change Resource Record Sets
Detect creation, changes, or deletion of a resource record set.
Tags:
cloud, source=cloudtrail, aws, aws_route53
Register Domain
Detect registry of a new domain.
Tags:
cloud, source=cloudtrail, aws, aws_route53

S3

Delete Bucket CORS
Detect deletion of the cors configuration for a bucket.
Tags:
cloud, source=cloudtrail, aws, aws_s3, mitre_TA0005-defense-evasion, mitre_T1070-indicator-removal-on-host
Delete Bucket Encryption
Detect deleting configuration to use encryption for bucket storage.
Tags:
cloud, source=cloudtrail, aws, aws_s3, mitre_TA0005-defense-evasion, mitre_T1070-indicator-removal-on-host
Delete Bucket Lifecycle
Detect deletion of the lifecycle configuration from the specified bucket.
Tags:
cloud, source=cloudtrail, aws, aws_s3, mitre_TA0005-defense-evasion, mitre_T1070-indicator-removal-on-host
Delete Bucket Policy
Detect deletion of the policy of a specified bucket.
Tags:
cloud, source=cloudtrail, aws, aws_s3, mitre_TA0005-defense-evasion, mitre_T1070-indicator-removal-on-host
Delete Bucket Public Access Block
Detect deleting blocking public access to bucket.
Tags:
cloud, source=cloudtrail, aws, aws_s3
Delete Bucket Replication
Detect deletion of the replication configuration from the bucket.
Tags:
cloud, source=cloudtrail, aws, aws_s3, mitre_TA0005-defense-evasion, mitre_T1070-indicator-removal-on-host
List Buckets
Detect listing of all S3 buckets.
Tags:
cloud, source=cloudtrail, aws, aws_s3, mitre_TA0007-discovery, mitre_T1083-file-and-directory-discovery
Put Bucket ACL
Detect setting the permissions on an existing bucket using access control lists.
Tags:
cloud, source=cloudtrail, aws, aws_s3, mitre_TA0005-defense-evasion, mitre_T1070-indicator-removal-on-host
Put Bucket CORS
Detect setting the cors configuration for a bucket.
Tags:
cloud, source=cloudtrail, aws, aws_s3, mitre_TA0005-defense-evasion, mitre_T1070-indicator-removal-on-host
Put Bucket Lifecycle
Detect creation or modification of a lifecycle configuration for the bucket [DEPRECATED use Put Bucket Lifecycle Configuration instead].
Tags:
cloud, source=cloudtrail, aws, aws_s3, mitre_TA0005-defense-evasion, mitre_T1070-indicator-removal-on-host
Put Bucket Policy
Detect applying an Amazon S3 bucket policy to an Amazon S3 bucket.
Tags:
cloud, source=cloudtrail, aws, aws_s3, mitre_TA0005-defense-evasion, mitre_T1070-indicator-removal-on-host
Put Bucket Replication
Detect creation of a replication configuration or the replacement of an existing one..
Tags:
cloud, source=cloudtrail, aws, aws_s3, mitre_TA0005-defense-evasion, mitre_T1070-indicator-removal-on-host

Sagemaker

Create SageMaker Notebook Instance with Direct Internet Access
Detect creation of a SageMaker notebook instance with direct internet access.
Tags:
cloud, source=cloudtrail, aws, aws_sagemaker

Secretsmanager

Get Secret Value
Detect retrieval of the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.
Tags:
cloud, source=cloudtrail, aws, aws_secretsmanager, mitre_TA0006-credential-access, mitre_T1528-steal-application-access-token

SecurityHub

Batch Disable Standards
Detect disabling of the standards specified by the provided StandardsSubscriptionArns.
Tags:
cloud, source=cloudtrail, aws, aws_securityhub
Delete Action Target
Detect deletion of a custom action target from Security Hub.
Tags:
cloud, source=cloudtrail, aws, aws_securityhub, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Security Hub Delete Members
Detect deletion the specified member accounts from Security Hub.
Tags:
cloud, source=cloudtrail, aws, aws_securityhub, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Disable Import Findings for Product
Detect disabling of the integration of the specified product with Security Hub.
Tags:
cloud, source=cloudtrail, aws, aws_securityhub, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Disable Security Hub
Detect disabling the Security Hub in the current region.
Tags:
cloud, source=cloudtrail, aws, aws_securityhub, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Security Hub Disassociate From Master Account
Detect disassociation of the current Security Hub member account from the associated master account.
Tags:
cloud, source=cloudtrail, aws, aws_securityhub, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Security Hub Disassociate Members
Detect disassociation of the current Security Hub member account from the associated master account.
Tags:
cloud, source=cloudtrail, aws, aws_securityhub, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Update Action Target
Detect updating the name and description of a custom action target in Security Hub.
Tags:
cloud, source=cloudtrail, aws, aws_securityhub, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Update Standards Control
Detect enabling or disabling of a standard control.
Tags:
cloud, source=cloudtrail, aws, aws_securityhub, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

VPC

Accept VPC Peering Connection
Detect accepting an VPC peering connection.
Tags:
cloud, source=cloudtrail, aws, aws_vpc, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools
Attach Internet Gateway
Detect attaching an internet gateway.
Tags:
cloud, source=cloudtrail, aws, aws_vpc, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools
Create a Network ACL Entry
Detect creating a network ACL entry.
Tags:
cloud, source=cloudtrail, aws, aws_vpc, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools
Create a Network ACL
Detect creating a network ACL.
Tags:
cloud, source=cloudtrail, aws, aws_vpc, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools
Create VPC Route
Detect creating an VPC route.
Tags:
cloud, source=cloudtrail, aws, aws_vpc, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools
Create VPC Peering Connection
Detect creating an VPC peering connection.
Tags:
cloud, source=cloudtrail, aws, aws_vpc, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools
Create VPC with Default Security Group
Detect creation of a new VPC with default security group.
Tags:
cloud, source=cloudtrail, aws, aws_vpc, aws_fsbp_ec2.2
Create VPC with No Flow Log
Detect creation of a new VPC with no flow log.
Tags:
cloud, source=cloudtrail, aws, aws_vpc, aws_fsbp_2ec.6
Delete VPC Flow Log
Detect deleting VPC flow log.
Tags:
cloud, source=cloudtrail, aws, aws_vpc, aws_fsbp_ec2.6, mitre_TA0005-defense-evasion, mitre_T1066-indicator-removal-from-tools
Delete a Network ACL Entry
Detect deletion of a network ACL entry.
Tags:
cloud, source=cloudtrail, aws, aws_vpc, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools
Delete a Network ACL
Detect deleting a network ACL.
Tags:
cloud, source=cloudtrail, aws, aws_vpc, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools
Replace a Network ACL Association
Detect replacement of a network ACL association.
Tags:
cloud, source=cloudtrail, aws, aws_vpc, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools
Replace a Network ACL Entry
Detect replacement of a network ACL entry.
Tags:
cloud, source=cloudtrail, aws, aws_vpc, mitre_TA0003-persistence, mitre_TA0005-defense-evasion, mitre_T1108-redundant-access, mitre_T1089-disabling-security-tools

WAF

Delete WAF Rule Group
Detect deleting a WAF rule group.
Tags:
cloud, source=cloudtrail, aws, aws_waf, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools
Delete Web ACL
Detect deleting a web ACL.
Tags:
cloud, source=cloudtrail, aws, aws_waf, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools