Difference between revisions of "Datadog SIEM Content Packs for Cloudtrail"

From wikieduonline
Jump to navigation Jump to search
 
(16 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
* https://docs.datadoghq.com/security/default_rules/#cloudtrail
 
* https://docs.datadoghq.com/security/default_rules/#cloudtrail
 
 
 
  cloudtrail [[A user received an anomalous number of AccessDenied errors]]
 
  cloudtrail [[A user received an anomalous number of AccessDenied errors]]
 
  cloudtrail [[Additional AWS regions enabled]]
 
  cloudtrail [[Additional AWS regions enabled]]
Line 12: Line 10:
 
  cloudtrail [[An AWS account attempted to leave the AWS Organization]]
 
  cloudtrail [[An AWS account attempted to leave the AWS Organization]]
 
  cloudtrail [[An AWS S3 bucket lifecycle expiration policy was set to disabled]]
 
  cloudtrail [[An AWS S3 bucket lifecycle expiration policy was set to disabled]]
  cloudtrail [[An AWS S3 bucket lifecycle policy expiration is set to < 90 days]]
+
  cloudtrail [[An AWS S3 bucket lifecycle policy expiration is set to]] < 90 days
 
  cloudtrail [[An AWS S3 bucket mfaDelete is disabled]]
 
  cloudtrail [[An AWS S3 bucket mfaDelete is disabled]]
 
  cloudtrail [[An EC2 instance attempted to enumerate S3 bucket]]
 
  cloudtrail [[An EC2 instance attempted to enumerate S3 bucket]]
Line 23: Line 21:
 
  cloudtrail [[Anomalous S3 bucket activity from user ARN]]
 
  cloudtrail [[Anomalous S3 bucket activity from user ARN]]
 
  cloudtrail [[Attempt to create Xlarge EC2 instances in multiple AWS regions]]
 
  cloudtrail [[Attempt to create Xlarge EC2 instances in multiple AWS regions]]
<pre>
+
cloudtrail [[AWS access key creation by previously unseen identity]]
cloudtrail AWS access key creation by previously unseen identity
+
cloudtrail [[AWS AMI Made Public]]
cloudtrail AWS AMI Made Public
+
cloudtrail [[AWS CloudTrail configuration modified]]
cloudtrail AWS CloudTrail configuration modified
+
cloudtrail [[AWS CloudTrail trail should have global service events enabled]]
cloudtrail AWS CloudTrail trail should have global service events enabled
+
cloudtrail [[AWS CloudWatch log group deleted]]
cloudtrail AWS CloudWatch log group deleted
+
cloudtrail [[AWS CloudWatch rule disabled or deleted]]
cloudtrail AWS CloudWatch rule disabled or deleted
+
cloudtrail [[AWS Config modified]]
cloudtrail AWS Config modified
+
cloudtrail [[AWS console login without MFA]]
cloudtrail AWS console login without MFA
+
cloudtrail [[AWS ConsoleLogin with MFA triggered Impossible Travel scenario]]
cloudtrail AWS ConsoleLogin with MFA triggered Impossible Travel scenario
+
cloudtrail [[AWS ConsoleLogin without MFA triggered Impossible Travel scenario]]
cloudtrail AWS ConsoleLogin without MFA triggered Impossible Travel scenario
+
cloudtrail [[AWS Detective Graph deleted]]
cloudtrail AWS Detective Graph deleted
+
cloudtrail [[AWS Disable Cloudtrail with event selectors]]
cloudtrail AWS Disable Cloudtrail with event selectors
+
cloudtrail [[AWS EBS default encryption disabled]]
cloudtrail AWS EBS default encryption disabled
+
cloudtrail [[AWS EBS Snapshot Made Public]]
cloudtrail AWS EBS Snapshot Made Public
+
cloudtrail [[AWS EBS Snapshot possible exfiltration]]
cloudtrail AWS EBS Snapshot possible exfiltration
+
cloudtrail [[AWS EC2 new event for application]]
cloudtrail AWS EC2 new event for application
+
cloudtrail [[AWS EC2 new event for EKS Node Group]]
cloudtrail AWS EC2 new event for EKS Node Group
+
cloudtrail [[AWS EC2 subnet deleted]]
cloudtrail AWS EC2 subnet deleted
+
cloudtrail [[AWS ECS cluster deleted]]
cloudtrail AWS ECS cluster deleted
+
cloudtrail [[AWS ECS CreateCluster API calls in multiple regions]]
cloudtrail AWS ECS CreateCluster API calls in multiple regions
+
cloudtrail [[AWS EventBridge rule disabled or deleted]]
cloudtrail AWS EventBridge rule disabled or deleted
+
cloudtrail [[AWS GuardDuty detector deleted]]
cloudtrail AWS GuardDuty detector deleted
+
cloudtrail [[AWS GuardDuty publishing destination deleted]]
cloudtrail AWS GuardDuty publishing destination deleted
+
cloudtrail [[AWS GuardDuty threat intel set deleted]]
cloudtrail AWS GuardDuty threat intel set deleted
+
cloudtrail [[AWS IAM activity by S3 browser utility]]
cloudtrail AWS IAM activity by S3 browser utility
+
cloudtrail [[AWS IAM activity from EC2 instance]]
cloudtrail AWS IAM activity from EC2 instance
+
cloudtrail [[AWS IAM AdministratorAccess policy was applied to a group]]
cloudtrail AWS IAM AdministratorAccess policy was applied to a group
+
cloudtrail [[AWS IAM AdministratorAccess policy was applied to a role]]
cloudtrail AWS IAM AdministratorAccess policy was applied to a role
+
cloudtrail [[AWS IAM AdministratorAccess policy was applied to a user]]
cloudtrail AWS IAM AdministratorAccess policy was applied to a user
+
cloudtrail [[AWS IAM policy modified]]
cloudtrail AWS IAM policy modified
+
cloudtrail [[AWS IAM Roles Anywhere trust anchor created]]
cloudtrail AWS IAM Roles Anywhere trust anchor created
+
cloudtrail [[AWS IAM User created with AdministratorAccess policy attached]]
cloudtrail AWS IAM User created with AdministratorAccess policy attached
+
cloudtrail [[AWS Java_Ghost security group creation attempt]]
cloudtrail AWS Java_Ghost security group creation attempt
+
cloudtrail [[AWS Kinesis Firehose stream destination modified]]
cloudtrail AWS Kinesis Firehose stream destination modified
+
cloudtrail [[AWS KMS key deleted or scheduled for deletion]]
cloudtrail AWS KMS key deleted or scheduled for deletion
+
cloudtrail [[AWS Lambda function modified by IAM user]]
cloudtrail AWS Lambda function modified by IAM user
+
cloudtrail [[AWS Lambda function resource-based policy modified by IAM user]]
cloudtrail AWS Lambda function resource-based policy modified by IAM user
+
cloudtrail [[AWS Network Access Control List created or modified]]
cloudtrail AWS Network Access Control List created or modified
+
cloudtrail [[AWS KMS key deleted or scheduled for deletion]]
cloudtrail AWS KMS key deleted or scheduled for deletion
+
cloudtrail [[AWS Lambda function modified by IAM user]]
cloudtrail AWS Lambda function modified by IAM user
+
cloudtrail [[AWS Lambda function resource-based policy modified by IAM user]]
cloudtrail AWS Lambda function resource-based policy modified by IAM user
+
cloudtrail [[AWS Network Access Control List created or modified]]
cloudtrail AWS Network Access Control List created or modified
+
cloudtrail [[AWS Network Gateway created or modified]]
cloudtrail AWS Network Gateway created or modified
+
cloudtrail [[AWS principal added to multiple EKS clusters]]
cloudtrail AWS principal added to multiple EKS clusters
+
cloudtrail [[AWS principal assigned administrative privileges in an EKS cluster]]
cloudtrail AWS principal assigned administrative privileges in an EKS cluster
+
cloudtrail [[AWS principal granted access to a EKS cluster then removed]]
cloudtrail AWS principal granted access to a EKS cluster then removed
+
cloudtrail [[AWS RDS Cluster deleted]]
cloudtrail AWS RDS Cluster deleted
+
cloudtrail [[AWS root account activity]]
cloudtrail AWS root account activity
+
cloudtrail [[AWS Route 53 DNS query logging disabled]]
cloudtrail AWS Route 53 DNS query logging disabled
+
cloudtrail [[AWS Route 53 VPC disassociated from query logging configuration]]
cloudtrail AWS Route 53 VPC disassociated from query logging configuration
+
cloudtrail [[AWS Route Table created or modified]]
cloudtrail AWS Route Table created or modified
+
cloudtrail [[AWS S3 Bucket ACL made public]]
cloudtrail AWS S3 Bucket ACL made public
+
cloudtrail [[AWS S3 Public Access Block removed]]
cloudtrail AWS S3 Public Access Block removed
+
cloudtrail [[AWS security group created, modified or deleted]]
cloudtrail AWS security group created, modified or deleted
+
cloudtrail [[AWS Security Hub disabled]]
cloudtrail AWS Security Hub disabled
+
cloudtrail [[AWS SES add verified identity followed by the deletion of the identity]]
cloudtrail AWS SES add verified identity followed by the deletion of the identity
+
cloudtrail [[AWS SES discovery attempt by long term access key]]
cloudtrail AWS SES discovery attempt by long term access key
+
cloudtrail [[AWS SES email sending enabled in current AWS region]]
cloudtrail AWS SES email sending enabled in current AWS region
+
cloudtrail [[AWS VPC created or modified]]
cloudtrail AWS VPC created or modified
+
cloudtrail [[AWS VPC Flow Log deleted]]
cloudtrail AWS VPC Flow Log deleted
+
cloudtrail [[AWS WAF traffic blocked by specific rule]]
cloudtrail AWS WAF traffic blocked by specific rule
+
cloudtrail [[AWS WAF traffic blocked by specific rule on multiple IPs]]
cloudtrail AWS WAF traffic blocked by specific rule on multiple IPs
+
cloudtrail [[AWS WAF web access control list deleted]]
cloudtrail AWS WAF web access control list deleted
+
cloudtrail [[AWS WAF web access control list modified]]
cloudtrail AWS WAF web access control list modified
+
cloudtrail [[CloudTrail log file validation should be enabled]]
cloudtrail CloudTrail log file validation should be enabled
+
cloudtrail [[CloudTrail logs S3 bucket should not be public accessible]]
cloudtrail CloudTrail logs S3 bucket should not be public accessible
+
cloudtrail [[CloudTrail logs should be encrypted at rest using KMS CMKs]]
cloudtrail CloudTrail logs should be encrypted at rest using KMS CMKs
+
cloudtrail [[Cloudtrail SecretsManager secret retrieved from AWS CloudShell environment]]
cloudtrail Cloudtrail SecretsManager secret retrieved from AWS CloudShell environment
+
cloudtrail [[CloudTrail trails should be integrated with CloudWatch Logs]]
cloudtrail CloudTrail trails should be integrated with CloudWatch Logs
+
cloudtrail [[Compromised AWS EC2 Instance]]
cloudtrail Compromised AWS EC2 Instance
+
cloudtrail [[Compromised AWS IAM User Access Key]]
cloudtrail Compromised AWS IAM User Access Key
+
cloudtrail [[Encrypted administrator password retrieved for Windows EC2 instance]]
cloudtrail Encrypted administrator password retrieved for Windows EC2 instance
+
cloudtrail [[New Amazon EC2 Instance type]]
cloudtrail New Amazon EC2 Instance type
+
cloudtrail [[New AWS account seen assuming a role into AWS account]]
cloudtrail New AWS account seen assuming a role into AWS account
+
cloudtrail [[New Private Repository Container Image detected in AWS ECR]]
cloudtrail New Private Repository Container Image detected in AWS ECR
+
cloudtrail [[New Public Repository Container Image detected in AWS ECR]]
cloudtrail New Public Repository Container Image detected in AWS ECR
+
cloudtrail [[New user seen executing a command in an ECS task]]
cloudtrail New user seen executing a command in an ECS task
+
cloudtrail [[Object-level logging should be enabled for S3 bucket read events]]
cloudtrail Object-level logging should be enabled for S3 bucket read events
+
cloudtrail [[Possible AWS EC2 privilege escalation via the modification of user data]]
cloudtrail Possible AWS EC2 privilege escalation via the modification of user data
+
cloudtrail [[Possible privilege escalation via AWS login profile manipulation]]
cloudtrail Possible privilege escalation via AWS login profile manipulation
+
cloudtrail [[Possible RDS Snapshot exfiltration]]
cloudtrail Possible RDS Snapshot exfiltration
+
cloudtrail [[Potential administrative port open to the world via AWS security group]]
cloudtrail Potential administrative port open to the world via AWS security group
+
cloudtrail [[Potential brute force attack on AWS ConsoleLogin]]
cloudtrail Potential brute force attack on AWS ConsoleLogin
+
cloudtrail [[Potential database port open to the world via AWS security group]]
cloudtrail Potential database port open to the world via AWS security group
+
cloudtrail [[S3 bucket access logging should be enabled on the CloudTrail S3 bucket]]
cloudtrail S3 bucket access logging should be enabled on the CloudTrail S3 bucket
+
cloudtrail [[S3 bucket write events should have object-level logging enabled]]
cloudtrail S3 bucket write events should have object-level logging enabled
+
cloudtrail [[Security group open to the world]]
cloudtrail Security group open to the world
+
cloudtrail [[Temporary AWS security credentials generated for user]]
cloudtrail Temporary AWS security credentials generated for user
+
cloudtrail [[The AWS managed policy AWSCompromisedKeyQuarantineV2 has been attached]]
cloudtrail The AWS managed policy AWSCompromisedKeyQuarantineV2 has been attached
+
cloudtrail [[There should be at least one multi-region CloudTrail trail per AWS account]]
cloudtrail There should be at least one multi-region CloudTrail trail per AWS account
+
cloudtrail [[Tor client IP address identified within AWS environment]]
cloudtrail Tor client IP address identified within AWS environment
+
cloudtrail [[TruffleHog user agent observed in AWS]]
cloudtrail TruffleHog user agent observed in AWS
+
cloudtrail [[Unfamiliar IAM user retrieved a decrypted AWS Systems Manager parameter]]
cloudtrail Unfamiliar IAM user retrieved a decrypted AWS Systems Manager parameter
+
cloudtrail [[Unfamiliar IAM user retrieved secret from AWS Secrets Manager]]
cloudtrail Unfamiliar IAM user retrieved secret from AWS Secrets Manager
+
cloudtrail [[Unfamiliar IAM user retrieved SSM parameter]]
cloudtrail Unfamiliar IAM user retrieved SSM parameter
+
cloudtrail [[Unusual AWS enumeration event from EC2 instance]]
cloudtrail Unusual AWS enumeration event from EC2 instance
+
cloudtrail [[User enumerated AWS Secrets Manager - Anomaly]]
cloudtrail User enumerated AWS Secrets Manager - Anomaly
+
cloudtrail [[User enumerated AWS Systems Manager parameters - Anomaly]]
cloudtrail User enumerated AWS Systems Manager parameters - Anomaly
+
cloudtrail [[User travel was impossible in AWS CloudTrail IAM log]]
cloudtrail User travel was impossible in AWS CloudTrail IAM log
+
</pre>
 
 
 
 
 
  
 +
== Related ==
 +
* [[CloudTrailServiceRolePolicy]]
  
 
== See also ==
 
== See also ==
 +
* {{Content Packs}}
 
* {{Cloudtrail}}
 
* {{Cloudtrail}}
 
* {{DD SIEM}}
 
* {{DD SIEM}}
 +
 +
[[Category:SIEM]]
 +
[[Category:Datadog]]

Latest revision as of 12:08, 23 September 2024

cloudtrail A user received an anomalous number of AccessDenied errors
cloudtrail Additional AWS regions enabled
cloudtrail Amazon EC2 AMI exfiltration attempt by IAM user
cloudtrail Amazon S3 bucket policy modified
cloudtrail Amazon SES enumeration attempt by previously unseen user
cloudtrail Amazon SES modification attempt
cloudtrail Amazon SNS enumeration attempt by previously unseen user
cloudtrail Amazon SNS enumeration in multiple regions using a long-term access key
cloudtrail An AWS account attempted to leave the AWS Organization
cloudtrail An AWS S3 bucket lifecycle expiration policy was set to disabled
cloudtrail An AWS S3 bucket lifecycle policy expiration is set to < 90 days
cloudtrail An AWS S3 bucket mfaDelete is disabled
cloudtrail An EC2 instance attempted to enumerate S3 bucket
cloudtrail Anomalous amount of access denied events for AWS EC2 Instance
cloudtrail Anomalous amount of Autoscaling Group events
cloudtrail Anomalous API Gateway API key reads by user
cloudtrail Anomalous number of assumed roles from user
cloudtrail Anomalous number of S3 buckets accessed
cloudtrail Anomalous number of secrets retrieved from AWS Secrets Manager
cloudtrail Anomalous S3 bucket activity from user ARN
cloudtrail Attempt to create Xlarge EC2 instances in multiple AWS regions
cloudtrail AWS access key creation by previously unseen identity
cloudtrail AWS AMI Made Public
cloudtrail AWS CloudTrail configuration modified
cloudtrail AWS CloudTrail trail should have global service events enabled
cloudtrail AWS CloudWatch log group deleted
cloudtrail AWS CloudWatch rule disabled or deleted
cloudtrail AWS Config modified
cloudtrail AWS console login without MFA
cloudtrail AWS ConsoleLogin with MFA triggered Impossible Travel scenario
cloudtrail AWS ConsoleLogin without MFA triggered Impossible Travel scenario
cloudtrail AWS Detective Graph deleted
cloudtrail AWS Disable Cloudtrail with event selectors
cloudtrail AWS EBS default encryption disabled
cloudtrail AWS EBS Snapshot Made Public
cloudtrail AWS EBS Snapshot possible exfiltration
cloudtrail AWS EC2 new event for application
cloudtrail AWS EC2 new event for EKS Node Group
cloudtrail AWS EC2 subnet deleted
cloudtrail AWS ECS cluster deleted
cloudtrail AWS ECS CreateCluster API calls in multiple regions
cloudtrail AWS EventBridge rule disabled or deleted
cloudtrail AWS GuardDuty detector deleted
cloudtrail AWS GuardDuty publishing destination deleted
cloudtrail AWS GuardDuty threat intel set deleted
cloudtrail AWS IAM activity by S3 browser utility
cloudtrail AWS IAM activity from EC2 instance
cloudtrail AWS IAM AdministratorAccess policy was applied to a group
cloudtrail AWS IAM AdministratorAccess policy was applied to a role
cloudtrail AWS IAM AdministratorAccess policy was applied to a user
cloudtrail AWS IAM policy modified
cloudtrail AWS IAM Roles Anywhere trust anchor created
cloudtrail AWS IAM User created with AdministratorAccess policy attached
cloudtrail AWS Java_Ghost security group creation attempt
cloudtrail AWS Kinesis Firehose stream destination modified
cloudtrail AWS KMS key deleted or scheduled for deletion
cloudtrail AWS Lambda function modified by IAM user
cloudtrail AWS Lambda function resource-based policy modified by IAM user
cloudtrail AWS Network Access Control List created or modified
cloudtrail AWS KMS key deleted or scheduled for deletion
cloudtrail AWS Lambda function modified by IAM user
cloudtrail AWS Lambda function resource-based policy modified by IAM user
cloudtrail AWS Network Access Control List created or modified
cloudtrail AWS Network Gateway created or modified
cloudtrail AWS principal added to multiple EKS clusters
cloudtrail AWS principal assigned administrative privileges in an EKS cluster
cloudtrail AWS principal granted access to a EKS cluster then removed
cloudtrail AWS RDS Cluster deleted
cloudtrail AWS root account activity
cloudtrail AWS Route 53 DNS query logging disabled
cloudtrail AWS Route 53 VPC disassociated from query logging configuration
cloudtrail AWS Route Table created or modified
cloudtrail AWS S3 Bucket ACL made public
cloudtrail AWS S3 Public Access Block removed
cloudtrail AWS security group created, modified or deleted
cloudtrail AWS Security Hub disabled
cloudtrail AWS SES add verified identity followed by the deletion of the identity
cloudtrail AWS SES discovery attempt by long term access key
cloudtrail AWS SES email sending enabled in current AWS region
cloudtrail AWS VPC created or modified
cloudtrail AWS VPC Flow Log deleted
cloudtrail AWS WAF traffic blocked by specific rule
cloudtrail AWS WAF traffic blocked by specific rule on multiple IPs
cloudtrail AWS WAF web access control list deleted
cloudtrail AWS WAF web access control list modified
cloudtrail CloudTrail log file validation should be enabled
cloudtrail CloudTrail logs S3 bucket should not be public accessible
cloudtrail CloudTrail logs should be encrypted at rest using KMS CMKs
cloudtrail Cloudtrail SecretsManager secret retrieved from AWS CloudShell environment
cloudtrail CloudTrail trails should be integrated with CloudWatch Logs
cloudtrail Compromised AWS EC2 Instance
cloudtrail Compromised AWS IAM User Access Key
cloudtrail Encrypted administrator password retrieved for Windows EC2 instance
cloudtrail New Amazon EC2 Instance type
cloudtrail New AWS account seen assuming a role into AWS account
cloudtrail New Private Repository Container Image detected in AWS ECR
cloudtrail New Public Repository Container Image detected in AWS ECR
cloudtrail New user seen executing a command in an ECS task
cloudtrail Object-level logging should be enabled for S3 bucket read events
cloudtrail Possible AWS EC2 privilege escalation via the modification of user data
cloudtrail Possible privilege escalation via AWS login profile manipulation
cloudtrail Possible RDS Snapshot exfiltration
cloudtrail Potential administrative port open to the world via AWS security group
cloudtrail Potential brute force attack on AWS ConsoleLogin
cloudtrail Potential database port open to the world via AWS security group
cloudtrail S3 bucket access logging should be enabled on the CloudTrail S3 bucket
cloudtrail S3 bucket write events should have object-level logging enabled
cloudtrail Security group open to the world
cloudtrail Temporary AWS security credentials generated for user
cloudtrail The AWS managed policy AWSCompromisedKeyQuarantineV2 has been attached
cloudtrail There should be at least one multi-region CloudTrail trail per AWS account
cloudtrail Tor client IP address identified within AWS environment
cloudtrail TruffleHog user agent observed in AWS
cloudtrail Unfamiliar IAM user retrieved a decrypted AWS Systems Manager parameter
cloudtrail Unfamiliar IAM user retrieved secret from AWS Secrets Manager
cloudtrail Unfamiliar IAM user retrieved SSM parameter
cloudtrail Unusual AWS enumeration event from EC2 instance
cloudtrail User enumerated AWS Secrets Manager - Anomaly
cloudtrail User enumerated AWS Systems Manager parameters - Anomaly
cloudtrail User travel was impossible in AWS CloudTrail IAM log

Related[edit]

See also[edit]

Advertising: