cscli scenarios install crowdsecurity/aws-cis-benchmark-root-usage
Detects usage of the AWS root account based on cloutrail logs (Section 1.7 of CIS AWS Foundation Benchmark 1.4.0 ).
1type: trigger2name: crowdsecurity/aws-cis-benchmark-root-usage3description: "Detect AWS root account usage"4filter: |5 evt.Meta.log_type == 'aws-cloudtrail' &&6 evt.Unmarshaled.cloudtrail.userIdentity.type == "Root" &&7 evt.Unmarshaled.cloudtrail.userIdentity.invokedBy == nil &&8 evt.Unmarshaled.cloudtrail.eventType != "AwsServiceEvent"9labels:10 confidence: 311 spoofable: 012 classification:13 - attack.T107814 - attack.T109815 behavior: "cloud:unusual-activity"16 label: "AWS root account usage"17 service: aws18 cti: false19 remediation: false20