Isai
ca821414a4
* [New Rule] AWS S3 Rapid Bucket Posture API Calls from a Single Principal Detects the same principal (`aws.cloudtrail.user_identity.arn`) from the same `source.ip` successfully calling a tight set of read-only S3 management APIs: ``` GetBucketAcl, GetBucketPublicAccessBlock, GetBucketPolicy, GetBucketPolicyStatus, GetBucketVersioning ``` against more than 15 distinct buckets (`aws.cloudtrail.resources.arn`) within a 10-second window. The idea is grounded in cloud reconnaissance and scanner-style behavior discussed in Kudelski Security’s analysis of the Trivy supply chain story and related cloud activity. It explicitly called out automated assessment tooling and posture-oriented API use across ~24 buckets in a short time. It also highlighted the user's blind spot in telemetry with no Data events captured for S3 buckets. So would need to rely on management APIs for detection. All our existing detections related to S3 rely on Data events and we have no explicit detections for scanner style recon sweeps as described in this threat report. ### Rule Design - ES|QL with date_trunc(10 seconds, …) and count_distinct(aws.cloudtrail.resources.arn) grouped by time bucket, identity ARN, and source.ip. - Management level API calls that are commonly used to identify bucket posture including public accessibility status and whether or not versioning is enabled (necessary info for ransomeware objectives) - Excludes AWSService, requires source.ip, non-null aws.cloudtrail.resources.arn and user_identity.arn, and session_credential_from_console IS NULL to capture programmatic sessions over console behavior. - Threshold 15 after evaluating rule in production environment to reduce noise from benign scanners and automation. - low severity as this rule is FP prone until users add exclusions for known scanner behaviors specific to their environment * correcting highlighted fields --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
rules/
Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)
| folder | description |
|---|---|
. |
Root directory where rules are stored |
apm/ |
Rules that use Application Performance Monitoring (APM) data sources |
cross-platform/ |
Rules that apply to multiple platforms, such as Windows and Linux |
integrations/ |
Rules organized by Fleet integration |
linux/ |
Rules for Linux or other Unix based operating systems |
macos/ |
Rules for macOS |
ml/ |
Rules that use machine learning jobs (ML) |
network/ |
Rules that use network data sources |
promotions/ |
Rules that promote external alerts into detection engine alerts |
windows/ |
Rules for the Microsoft Windows Operating System |
Integration specific rules are stored in the integrations/ directory:
| folder | integration |
|---|---|
aws/ |
Amazon Web Services (AWS) |
azure/ |
Microsoft Azure |
cyberarkpas/ |
Cyber Ark Privileged Access Security |
endpoint/ |
Elastic Endpoint Security |
gcp/ |
Google Cloud Platform (GCP) |
google_workspace/ |
Google Workspace (formerly GSuite) |
o365/ |
Microsoft Office |
okta/ |
Okta |