aws-cis-benchmark-unauthorized-call Scenario

« aws-cis-benchmark-unauthorized-call »
v0.4 by crowdsecurity
Attack scenarioservice:awsspoofable:0MITRE:T1212confidence:3

Detect AWS API unauthorized calls

Installation

cscli scenarios install crowdsecurity/aws-cis-benchmark-unauthorized-call

Description

Detect unauthorized AWS API calls based on cloudtrail logs (Section 3.1 of CIS AWS Foundation Benchmark 1.2.0 ).

YAML Configuration

1type: trigger
2name: crowdsecurity/aws-cis-benchmark-unauthorized-call
3description: "Detect AWS API unauthorized calls"
4filter: |
5     evt.Meta.log_type == 'aws-cloudtrail' &&
6     (
7          (evt.Unmarshaled.cloudtrail.errorCode != nil && evt.Unmarshaled.cloudtrail.errorCode matches ".*UnauthorizedOperation$") ||
8          (evt.Unmarshaled.cloudtrail.errorCode != nil && evt.Unmarshaled.cloudtrail.errorCode matches "^AccessDenied.*")
9     )
10labels:
11     confidence: 3
12     spoofable: 0
13     classification:
14          - attack.T1212
15     behavior: "cloud:audit"
16     label: "AWS API unauthorized calls"
17     service: aws
18     cti: false
19     remediation: false
20

Hub configuration

« aws-cis-benchmark-unauthorized-call »v0.4 by crowdsecurityAttack scenarioservice:awsspoofable:0MITRE:T1212confidence:3

« aws-cis-benchmark-unauthorized-call »
v0.4 by crowdsecurity
Attack scenarioservice:awsspoofable:0MITRE:T1212confidence:3