- Overview of TDIR for Public Cloud
- Supported Cloud Environments and Log Sources
- Types of Threat Detection Enabled by TDIR for Public Cloud
- Prepare to Use TDIR for Public Cloud
- View Cloud Content Activity
Amazon Web Services – Rules by Use Case
Advanced Analytics versions that support AWS rules:
Legacy Data Structure Versions: i62.4 (supports only a subset of the rules in the Privilege Escalation use case - marked with *)
Common Information Model Versions: i63, i63.5 (supports all the rules listed in each use case)
Note
All model-based rules have rule names that end with "-F" or "-A". Rules without these rule name endings are fact-based rules.
Use Case | Rule ID – Rule Name |
|---|---|
Abnormal Authentication & Access | AWS-RootLoginWithoutMFA: A root user logged in without MFA AWS-UserConsoleSignIn-Org-F: First time console sign in for user AWS-FailedSignInCount-User-A: Abnormal amount of login failures AWS-MFASignIn-User-F: First time console sign in without MFA for user AWS-MFA-User-F: First time authentication without MFA for user AWS-Region-User-F: First time region for user AWS-Region-Org-F: First time region for org AWS-Operation-User-F: First time operation for user AWS-DistinctOperationCount-User-A: Abnormal amount of distinct operations AWS-UnauthorizedOperationCount-User-A: Abnormal amount of unauthorized operations AWS-Service-User-F: First time cloud service for user AWS-UserAgent-Org-F: First time user agent seen in the organization AWS-Country-User-F: First time country for user AWS-Time-User-F: Abnormal time for user activity in AWS AWS-UserAgent-User-F: First time user agent seen for user |
Privilege Escalation | *AWS-CriticalPolicy: A critical policy was created in AWS AWS-AdminPolicy: A critical policy with Admin permissions was created in AWS AWS-AdminPolicyAttach: A critical policy with admin permissions was attached to an identity in AWS *AWS-UserAssumeRole-Org-F: First time this user assumed a role in AWS *AWS-DistinctRoleAssumptionsCount-User-A: Abnormal amount of assume role operations for this user AWS-AssumedRoles-User-F: First time this user assumed this role in AWS AWS-AssumingUsers-Role-F: First time this role was assumed by this user in AWS *AWS-UserPermEnum-Org-F: First time permissions enumeration for user *AWS-PermEnumCount-User-A: Abnormal amount of permissions enumeration operations for this user *AWS-UserCreateRole-Org-F: First time role creation for user *AWS-UserCreatePolicy-Org-F: First time policy creation for user *AWS-UserSetDefaultPolicyVersion-Org-F: First time default policy version rollback for user AWS-UserCreatePolicyAdmin-Org-F: First time this user created an administrative policy *AWS-UserCreatePolicyCriticalGlobal-Org-F: First time critical (global) policy creation for user *AWS-UserCreatePolicyCritical-Org-F: First time critical policy creation for user *AWS-UserAddIdentityPolicy-Org-F: First time policy attachment to an identity for this user *AWS-UserAddIdentityPolicyGlobal-Org-F: First time critical (global) policy attachment for user *AWS-UserAddIdentityPolicyCritical-Org-F: First time critical policy creation for user *AWS-UserModfiyAssumeRole-Org-F: First time this user modified who can assume a role in AWS AWS-RolePublicPolicy-Org-F: First time this role was made public AWS AWS-UserGetPasswordData-Org-F: First time instance administrator password extraction for user |
Cloud Data Protection | AWS-RemovePublicAccessBlock: A user removed the public access block from a bucket/account AWS-BucketSetPublic: A user modified a bucket policy/ACL to make it public AWS-ObjectSetPublic: A user modified an object ACL to make it public AWS-ComputeSetPublic: A user made a compute resource public AWS-UserStorageList-Org-F: First time enumeration of storage buckets or objects for user AWS-StorageListCount-User-A: Abnormal amount of enumeration operations of storage buckets or objects for this user AWS-UserCreateBucket-Org-F: First time storage bucket creation for user AWS-UserPutBucketPolicy-Org-F: First time bucket IAM policy modification for user AWS-UserPutBucketACL-Org-F: First time bucket ACL policy modification for user AWS-UserSetBucketPublic-Org-F: First time this user set a bucket public AWS-UserPutObjectAcl-Org-F: First time object ACL policy modification for user AWS-GetObjectCount-User-A: Abnormal amount of storage objects get operations for this user AWS-CopyObjectCount-Bucket-A: Abnormal amount of storage object copy operations to this bucket AWS-CopyObjectCount-Org-A: Abnormal amount of storage object copies from the organization AWS-BytesOut-Bucket-A: Abnormal amount of bytes was read from this bucket AWS-ComputeListCount-User-A: Abnormal amount of enumeration operations of compute resources for this user AWS-UserModifyComputeAttribute-Org-F: First time compute resource permission modification for user AWS-UserCreateKeyPair-Org-F: First time instance SSH key modification for user AWS-UserInstanceConsoleLogin-Org-F: First time instance console login for user AWS-UserCreateSnapshot-Org-F: First time snapshot creation for user AWS-UserCreateVolumeSnapshot-Org-F: First time volume creation from a snapshot for user AWS-UserAttachVolume-Org-F: First time volume attachment for user AWS-DistinctAttachVolumeCount-User-A: Abnormal amount of distinct attach volume operations AWS-UserGetConsoleScreenshot-Org-F: First time instance screenshot for user AWS-UserInstanceExport-Org-F: First time instance export for user B-AWS-UserPutBucketPolicy-Org-F: First time bucket IAM policy modification for user B-AWS-UserPutBucketACL-Org-F: First time bucket ACL policy modification for user B-AWS-UserPutObjectAcl-Org-F: First time object ACL policy modification for user B-AWS-GetObjectCount-User-A: Abnormal amount of storage objects get operations for this user B-AWS-GetObjectCount-Bucket-A: Abnormal amount of storage objects get operations for this bucket B-AWS-CopyObjectCount-Bucket-A: Abnormal amount of storage object copy operations to this bucket B-AWS-CopyObjectCount-Org-A: Abnormal amount of storage object copies from the organization B-AWS-BytesOut-Bucket-A: Abnormal amount of bytes was read from this bucket B-AWS-User-Bucket-F: First time this user has accessed this bucket B-AWS-UserAgent-Bucket-F: First time this user agent was used to access this bucket B-AWS-Operation-Bucket-F: First time this operation was used on this bucket |
Malware | AWS-InstanceStartupScript: A startup script was added to an instance in AWS AWS-UserPutObject-Org-F: First time object creation for user AWS-UserPutObjectCritical-Org-F: First time critical object creation for user AWS-UserSendCommand-Org-F: First time remote command execution on an instance in AWS AWS-UserCreateImage-Org-F: First time image creation for user AWS-UserComputeImport-Org-F: First time compute resource import for user B-AWS-UserPutObject-Org-F: First time object creation for user B-AWS-UserPutObjectCritical-Org-F: First time critical object creation for user |
Account Manipulation | AWS-UserIdentityEnum-Org-F: First time identity enumeration for user AWS-UserCreateAccessKey-Org-F: First time access key creation operation for user AWS-UserCreateUser-Org-F: First time user creation operation for user AWS-UserAddToGroup-Org-F: First time add user to group operation for user AWS-UserWriteLoginProfile-Org-F: First time this user updated or created a login profile in AWS |
Cryptomining | AWS-UserRunInstances-Org-F: First time instance creation for user |
* Indicates a rule supported in Advanced Analytics version i62.4.