CloudTrail Falco rules
Scroll Top APPRUNNER 4rules AUTOSCALING 2rules CLOUDSHELL 1rules CLOUDTRAIL 7rules CLOUDWATCH 3rules CONFIG 19rules CONSOLE 3rules DMS 1rules EBS 1rules EC2 20rules ECR 1rules ECS 8rules ECS EXEC 3rules EFS 1rules ELASTICSEARCH 2rules ELB 4rules FARGATE 8rules GUARDDUTY 6rules IAM 39rules KMS 5rules LAMBDA 6rules RDS 13rules ROUTE53 3rules S3 14rules SAGEMAKER 1rules SECRETSMANAGER 1rules SECURITYHUB 9rules VPC 14rules WAF 2rules OTHER 2rules
Total 189 rules.
APPRUNNER
Create App Runner Service from Code Repository
Detect the building and deployment of an App Runner service from a code repository.
cloud aws aws_apprunnerCreate App Runner Service from Image Repository
Detect the deployment of an App Runner service from an image repository.
cloud aws aws_apprunnerDelete App Runner Service
Detect the deletion of an App Runner service.
cloud aws aws_apprunnerDeploy App Runner Service
Detect the deployment of an App Runner service.
cloud aws aws_apprunnerAUTOSCALING
Create Autoscaling Group without ELB Health Checks
Detect the creation of an autoscaling group associated with with a load balancer which is not using health checks.
cloud aws aws_autoscalingUpdate Autoscaling Group without ELB Health Checks
Detect the update of an autoscaling group associated with with a load balancer which is not using health checks.
cloud aws aws_autoscalingCLOUDSHELL
CloudShell Environment Created
Detect creation of a new Cloud Shell environment.
cloud aws aws_cloudshellCLOUDTRAIL
CloudTrail Trail Created
Detect creation of a new trail.
cloud aws aws_cloudtrail mitre_TA0009-collection mitre_T1530-data-from-cloud-storage-objectCloudTrail Trail Deleted
Detect deletion of an existing trail.
cloud aws aws_cloudtrail mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsCloudTrail Logfile Encryption Disabled
Detect disabling the CloudTrail logfile encryption.
cloud aws aws_cloudtrailCloudTrail Logfile Validation Disabled
Detect disabling the CloudTrail logfile validation.
cloud aws aws_cloudtrailCloudTrail Logging Disabled
The CloudTrail logging has been disabled, this could be potentially malicious.
cloud aws aws_cloudtrail mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsCloudTrail Multi-region Disabled
Detect disabling CloudTrail multi-region.
cloud aws aws_cloudtrailCloudTrail Trail Updated
Detect update of an existing trail.
cloud aws aws_cloudtrail mitre_TA0009-collection mitre_TA0040-impact mitre_T1492-store-data-manipulation mitre_T1530-data-from-cloud-storage-objectCLOUDWATCH
CloudWatch Delete Alarms
Detect deletion of an alarm.
cloud aws aws_cloudwatch mitre_TA0005-defense-evasion mitre_T1066-indicator-removal-from-toolsCloudWatch Delete Log Group
Detect deletion of a CLoudWatch log group.
cloud aws aws_cloudwatch mitre_TA0040-impact mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools mitre_T1485-data-destructionCloudWatch Delete Log Stream
Detect deletion of a CLoudWatch log stream.
cloud aws aws_cloudwatch mitre_TA0040-impact mitre_TA0005-defense-evasion mitre_T1089-disabling-security-tools mitre_T1485-data-destructionCONFIG
Delete Config Rule
Detect deletion of a configuration rule.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsDelete Configuration Aggregator
Detect deletion of the configuration aggregator.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsDelete Configuration Recorder
Detect deletion of the configuration recorder.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsDelete Conformance Pack
Detect deletion of a conformance pack.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsDelete Delivery Channel
Detect deletion of the delivery channel.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsDelete Organization Config Rule
Detect deletion of an organization config rule.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsDelete Organization Conformance Pack
Detect deletion of an organization conformance pack.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsDelete Remediation Configuration
Detect deletion of a remediation configuration.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsDelete Retention Configuration
Detect deletion of the retention configuration with details about retention period (number of days) that AWS Config stores historical information.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsPut Config Rule
Detect addition or update in an AWS Config rule.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsPut Configuration Aggregator
Detect creation and update of the configuration aggregator with the selected source accounts and regions.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsPut Conformance Pack
Detect creation or update of a conformance pack.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsPut Delivery Channel
Detect creation of a delivery channel.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsPut Organization Config Rule
Detect addition or update in an AWS Organization Config rule.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsPut Organization Conformance Pack
Detect deployment of conformance packs across member accounts in an AWS Organization.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsPut Remediation Configurations
Detect addition or update of the remediation configuration with a specific AWS Config rule with the selected target or action.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsPut Remediation Exceptions
Detect addition of a new exception or updates an existing exception for a specific resource with a specific AWS Config rule.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsPut Retention Configuration
Detect creation or update of the retention configuration with details about retention period (number of days) that AWS Config stores historical information.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsStop Configuration Recorder
Detect stoping the configuration recorder.
cloud aws aws_config mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsCONSOLE
Console Login Through Assume Role
Detect a console login through Assume Role.
cloud aws aws_console aws_iamConsole Login Without MFA
Detect a console login without MFA.
cloud aws aws_console aws_iamConsole Root Login Without MFA
Detect root console login without MFA.
cloud aws aws_console aws_iam mitre_TA0040-impact mitre_T1531-account-access-removalDMS
Create Public DMS Replication Instance
Detect creation of a public DMS replication instance.
cloud aws aws_dmsEBS
EBS Volume Creation without Encryption at Rest
Detect creation of an EBS volume without encryption at rest enabled.
cloud aws aws_ebsEC2
Allocate New Elastic IP Address to AWS Account
Detect that a public IP address has been allocated to the account.
cloud aws aws_ec2Associate Elastic IP Address to AWS Network Interface
Detect that a public IP address has been associated with a network interface.
cloud aws aws_ec2Authorize Security Group Egress
Detect addition of the specified egress rules to a security group.
cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsAuthorize Security Group Ingress
Detect addition of the specified ingress rules to a security group.
cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsCreate Snapshot
Detect creation of an EBS volume snapshot and stores it in Amazon S3.
cloud aws aws_ec2Delete Subnet
Detect deletion of the specified subnet.
cloud aws aws_ec2 mitre_TA0040-impact mitre_T1485-data-destructionDescribe Instances
Detect description of the specified EC2 instances or all EC2 instances.
cloud aws aws_ec2Disable EBS Encryption by Default
Detect disabling EBS encryption by default for an account in the current region.
cloud aws aws_ec2 mitre_TA0040-impact mitre_T1492-store-data-manipulationMake EBS Snapshot Public
Detect making public an EBS snapshot.
cloud aws aws_ec2EC2 Serial Console Access Enabled
Detect EC2 serial Console Acess enabled in the account for a specific region.
cloud aws aws_ec2Get Password Data
Detect retrieval of the encrypted administrator password for a running Windows instance.
cloud aws aws_ec2 mitre_TA0003-persistence mitre_T1108-redundant-accessModify Image Attribute
Detect modification of the specified attribute of the specified AMI.
cloud aws aws_ec2 mitre_TA0010-exfiltrationModify Snapshot Attribute
Detect addition or removal of permission settings for the specified EC2 snapshot.
cloud aws aws_ec2 mitre_TA0010-exfiltration mitre_T1537-transfer-data-to-cloud-accountReplace Route
Detect replacing an existing route within a route table in a VPC.
cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsRevoke Security Group Egress
Detect removal of the specified egress rules from a security group.
cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsRevoke Security Group Ingress
Detect removal of the specified ingress rules from a security group.
cloud aws aws_ec2 mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsRun Instances in Non-approved Region
Detect launching of a specified number of instances in a non-approved region.
cloud aws aws_ec2Run Instances with Non-standard Image
Detect launching of a specified number of instances with a non-standard image.
cloud aws aws_ec2Run Instances
Detect launching of a specified number of instances.
cloud aws aws_ec2Delete Cluster
Detect deletion of the specified cluster.
cloud aws aws_ec2 mitre_TA0040-impact mitre_T1485-data-destructionECR
ECR Image Pushed
Detect a new image has been pushed to an ECR registry
cloud aws aws_ecrECS
ECS Service Created
Detect a new service is created in ECS.
cloud aws aws_ecs aws_fargateECS Service Deleted
Detect a service is deleted in ECS.
cloud aws aws_ecs aws_fargateExecute Interactive Command inside an ECS Container
Detect execution of an interactive command inside an ECS container.
cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreterExecute Command inside an ECS Container
Detect execution of a command inside an ECS container.
cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-executionECS Task Run or Started
Detect a new task is started in ECS.
cloud aws aws_ecs aws_fargateECS Task Stopped
Detect a task is stopped in ECS.
cloud aws aws_ecs aws_fargateTerminal Shell in ECS Container
A terminal shell has been executed inside an ECS container.
cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter mitre_T1059.004-unix-shellECS Service Task Definition Updated
Detect a service task definition is updated in ECS.
cloud aws aws_ecs aws_fargateECS EXEC
Execute Interactive Command inside an ECS Container
Detect execution of an interactive command inside an ECS container.
cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreterExecute Command inside an ECS Container
Detect execution of a command inside an ECS container.
cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-executionTerminal Shell in ECS Container
A terminal shell has been executed inside an ECS container.
cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter mitre_T1059.004-unix-shellEFS
Create Unencrypted EFS
Detect creation of an unencrypted elastic file system.
cloud aws aws_efsELASTICSEARCH
Elasticsearch Domain Creation without Encryption at Rest
Detect creation of an Elasticsearch domain without encryption at rest enabled.
cloud aws aws_elasticsearchElasticsearch Domain Creation without VPC
Detect creation of an Elasticsearch domain without a VPC.
cloud aws aws_elasticsearchELB
Create HTTP Target Group without SSL
Detect creation of HTTP target group not using SSL.
cloud aws aws_elbCreate Internet-facing AWS Public Facing Load Balancer
Detect creation of an AWS internet-facing load balancer.
cloud aws aws_elbDelete Listener
Detect deletion of the specified listener.
cloud aws aws_elb mitre_TA0001-initial-access mitre_T1190-exploit-public-facing-applicationModify Listener
Detect replacing the specified properties of the specified listener.
cloud aws aws_elb mitre_TA0001-initial-access mitre_T1190-exploit-public-facing-applicationFARGATE
ECS Service Created
Detect a new service is created in ECS.
cloud aws aws_ecs aws_fargateECS Service Deleted
Detect a service is deleted in ECS.
cloud aws aws_ecs aws_fargateExecute Interactive Command inside an ECS Container
Detect execution of an interactive command inside an ECS container.
cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreterExecute Command inside an ECS Container
Detect execution of a command inside an ECS container.
cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-executionECS Task Run or Started
Detect a new task is started in ECS.
cloud aws aws_ecs aws_fargateECS Task Stopped
Detect a task is stopped in ECS.
cloud aws aws_ecs aws_fargateTerminal Shell in ECS Container
A terminal shell has been executed inside an ECS container.
cloud aws aws_ecs aws_ecs_exec aws_fargate soc2_CC6.1 mitre_TA0002-execution mitre_T1059-command-and-scripting-interpreter mitre_T1059.004-unix-shellECS Service Task Definition Updated
Detect a service task definition is updated in ECS.
cloud aws aws_ecs aws_fargateGUARDDUTY
Delete Detector
Detect deletion of an Amazon GuardDuty detector.
cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsGuard Duty Delete Members
Detect deletion of GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.
cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsDisable GuardDuty
Detect disabling of GuardDuty.
cloud aws aws_guarddutyGuard Duty Disassociate from Master Account
Detect disassociation of the current GuardDuty member account from its administrator account.
cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsGuard Duty Disassociate Members
Detect disassociation of GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.
cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsStop Monitoring Members
Detect stopping GuardDuty monitoring for the specified member accounts.
cloud aws aws_guardduty mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsIAM
Console Login Failure
Detect a console login failure
cloud aws aws_iamConsole Login Success From Untrusted IP
Detect a console login success from an untrusted IP address
cloud aws aws_iamConsole Login Success
Detect a console login success
cloud aws aws_iamConsole Login Through Assume Role
Detect a console login through Assume Role.
cloud aws aws_console aws_iamConsole Login Without MFA
Detect a console login without MFA.
cloud aws aws_console aws_iamConsole Root Login Without MFA
Detect root console login without MFA.
cloud aws aws_console aws_iam mitre_TA0040-impact mitre_T1531-account-access-removalLogged in without Using MFA
(DEPRECATED) Detect user login without using MFA (multi-factor authentication). Use "Console Login Without MFA" instead.
cloud aws aws_iamPassword Recovery Requested
Detect AWS IAM password recovery requests.
cloud aws aws_iam mitre_TA0001-initial-access mitre_T1078-valid-accountsPut Inline Policy in Group to Allow Access to All Resources
Detect putting an inline policy in a group that allows access to all resources.
cloud aws aws_iamCreate Access Key for Root User
Detect creation of an access key for root.
cloud aws aws_iam mitre_TA0001-initial-access mitre_T1078-valid-accountsDeactivate Hardware MFA for Root User
Detect deactivating hardware MFA configuration for root.
cloud aws aws_iamDeactivate MFA for Root User
Detect deactivating MFA configuration for root.
cloud aws aws_iamDeactivate Virtual MFA for Root User
Detect deactivating virtual MFA configuration for root.
cloud aws aws_iamDelete Virtual MFA for Root User
Detect deleting MFA configuration for root.
cloud aws aws_iam pcs_dss_iam.5Root User Executing AWS Command
Detect root user executing AWS command.
cloud aws aws_iamAdd AWS User to Group
Detect adding an user to a group.
cloud aws aws_iamAttach Administrator Policy
Detect attaching an administrator policy to a user.
cloud aws aws_iamAttach IAM Policy to User
Detect attaching an IAM policy to a user.
cloud aws aws_iamCreate Group
Detect creation of a new user group.
cloud aws aws_iam mitre_TA0003-persistence mitre_T1108-redundant-accessCreate Security Group Rule Allowing SSH Ingress
Detect creation of security group rule allowing SSH ingress.
cloud aws aws_iamCreate Security Group Rule Allowing Ingress Open to the World
Detect creation of security group rule allowing ingress open to the world.
cloud aws aws_iamCreate AWS user
Detect creation of a new AWS user.
cloud aws aws_iam mitre_TA0003-persistence mitre_T1136-create-accountCreate IAM Policy that Allows All
Detect creation of IAM policy that allows all.
cloud aws aws_iamDeactivate MFA for User Access
Detect deactivating MFA configuration for user access.
cloud aws aws_iamDelete Group
Detect deletion of a user group.
cloud aws aws_iam mitre_TA0040-impact mitre_T1531-account-access-removalDelete AWS user
Detect deletion of an AWS user.
cloud aws aws_iamPut IAM Inline Policy to User
Detect putting an IAM inline policy to an user.
cloud aws aws_iamRemove AWS User from Group
Detect removing a user from a group.
cloud aws aws_iamUpdate Account Password Policy Not Expiring
Detect updating password policy not expiring at all.
cloud aws aws_iamUpdate Account Password Policy Expiring in More Than 90 Days
Detect updating password policy expiring in more than 90 days.
cloud aws aws_iamUpdate Account Password Policy Not Preventing Reuse of Last 24 Passwords
Detect updating password policy not preventing reuse of the last 24 passwords.
cloud aws aws_iamUpdate Account Password Policy Not Preventing Reuse of Last 4 Passwords
Detect updating password policy not preventing reuse of the last 4 passwords.
cloud aws aws_iamUpdate Account Password Policy Not Requiring 14 Characters
Detect updating password policy not requiring a minimum length of 14 characters.
cloud aws aws_iamUpdate Account Password Policy Not Requiring 7 Characters
Detect updating password policy not requiring a minimum length of 7 characters.
cloud aws aws_iamUpdate Account Password Policy Not Requiring Lowercase
Detect updating password policy not requiring the use of an lowercase letter
cloud aws aws_iamUpdate Account Password Policy Not Requiring Number
Detect updating password policy not requiring the use of a number
cloud aws aws_iamUpdate Account Password Policy Not Requiring Symbol
Detect updating password policy not requiring the use of a symbol
cloud aws aws_iamUpdate Account Password Policy Not Requiring Uppercase
Detect updating password policy not requiring the use of an uppercase letter
cloud aws aws_iamUpdate Assume Role Policy
Detect modifying a role.
cloud aws aws_iam mitre_TA0006-credential-access mitre_T1110-brute-forceKMS
Create Customer Master Key
Detect creation of a new CMK (with rotation disabled).
cloud aws aws_kmsDisable CMK Rotation
Detect disabling of a customer master key's rotation.
cloud aws aws_kmsDisable Key
Detect disabling a customer master key (CMK), thereby preventing its use for cryptographic operations.
cloud aws aws_kmsRemove KMS Key Rotation
Detect removal of KMS key rotation.
cloud aws aws_kmsSchedule Key Deletion
Detect scheduling of the deletion of a customer master key.
cloud aws aws_kmsLAMBDA
Create Lambda Function Not Using Latest Runtime
Detect creation of a Lambda function not using the latest runtime.
cloud aws aws_lambda mitre_T1190-exploit-public-facing-applicationCreate Lambda Function Using Unsupported Runtime
Detect creation of a Lambda function using an unsupported runtime.
cloud aws aws_lambda mitre_T1190-exploit-public-facing-applicationCreate Lambda Function
Detect creation of a Lambda function.
cloud aws aws_lambda mitre_TA0003-persistenceDissociate Lambda Function from VPC
Detect dissociation of a Lambda function from a VPC.
cloud aws aws_lambdaUpdate Lambda Function Code
Detect updates to a Lambda function code.
cloud aws aws_lambda mitre_TA0003-persistence mitre_T1496-resource-hijackingUpdate Lambda Function Configuration
Detect updates to a Lambda function configuration.
cloud aws aws_lambda mitre_TA0003-persistence mitre_T1496-resource-hijackingRDS
Authorize DB Security Group Ingress
Detect enabling ingress to a DBSecurityGroup using one of two forms of authorization.
cloud aws aws_rdsCreate DB Cluster
Detect creation of a database cluster.
cloud aws aws_rds mitre_TA0003-persistence mitre_T1108-redundant-accessCreate DB Security Group
Detect creation of a database security group.
cloud aws aws_rdsCreate Global Cluster
Detect creation of a global cluster.
cloud aws aws_rds mitre_TA0003-persistence mitre_T1108-redundant-accessDelete DB Cluster
Detect deletion of a database cluster.
cloud aws aws_rds mitre_TA0040-impact mitre_T1485-data-destructionDelete DB Security Group
Detect deletion of a database security group.
cloud aws aws_rdsDelete DB Snapshot
Detect deletion of a database snapshot.
cloud aws aws_rds mitre_TA0040-impact mitre_T1485-data-destructionMake RDS DB Instance Public
Detect making public an RDS DB instance.
cloud aws aws_rdsMake RDS Snapshot Public
Detect making public an RDS snapshot.
cloud aws aws_rdsModify RDS Snapshot Attribute
Detect modification of an RDS snapshot attribute.
cloud aws aws_rds mitre_TA0010-exfitration mitre_T1537-transfer-data-to-cloud-accountRevoke DB Security Group Ingress
Detect revocation ingress from a DBSecurityGroup for previously authorized IP ranges or EC2 or VPC Security Groups.
cloud aws aws_rdsStop DB Cluster
Detect stopping of a database cluster.
cloud aws aws_rds mitre_TA0040-impact mitre_T1489-service-stopStop DB Instance
Detect stopping of a database instance.
cloud aws aws_rds mitre_TA0040-impact mitre_T1489-service-stopROUTE53
Associate VPC with Hosted Zone
Detect association of an Amazon VPC with a private hosted zone.
cloud aws aws_route53Change Resource Record Sets
Detect creation, changes, or deletion of a resource record set.
cloud aws aws_route53Register Domain
Detect registry of a new domain.
cloud aws aws_route53S3
Delete Bucket CORS
Detect deletion of the cors configuration for a bucket.
cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-hostDelete Bucket Encryption
Detect deleting configuration to use encryption for bucket storage.
cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-hostDelete Bucket Lifecycle
Detect deletion of the lifecycle configuration from the specified bucket.
cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-hostDelete Bucket Policy
Detect deletion of the policy of a specified bucket.
cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-hostDelete Bucket Public Access Block
Detect deleting blocking public access to bucket.
cloud aws aws_s3Delete Bucket Replication
Detect deletion of the replication configuration from the bucket.
cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-hostRead Object in Watched Bucket
Detect a Read operation on objects in watched buckets.
cloud aws aws_s3List Buckets
Detect listing of all S3 buckets.
cloud aws aws_s3 mitre_TA0007-discovery mitre_T1083-file-and-directory-discoveryPut Bucket ACL
Detect setting the permissions on an existing bucket using access control lists.
cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-hostPut Bucket CORS
Detect setting the cors configuration for a bucket.
cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-hostPut Bucket Lifecycle
Detect creation or modification of a lifecycle configuration for the bucket [DEPRECATED use `Put Bucket Lifecycle Configuration` instead].
cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-hostPut Bucket Policy
Detect applying an Amazon S3 bucket policy to an Amazon S3 bucket.
cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-hostPut Bucket Replication
Detect creation of a replication configuration or the replacement of an existing one..
cloud aws aws_s3 mitre_TA0005-defense-evasion mitre_T1070-indicator-removal-on-hostPut Object in Watched Bucket
Detect a Put operation on objects in watched buckets.
cloud aws aws_s3SAGEMAKER
Create SageMaker Notebook Instance with Direct Internet Access
Detect creation of a SageMaker notebook instance with direct internet access.
cloud aws aws_sagemakerSECRETSMANAGER
Get Secret Value
Detect retrieval of the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.
cloud aws aws_secretsmanager mitre_TA0006-credential-access mitre_T1528-steal-application-access-tokenSECURITYHUB
Batch Disable Standards
Detect disabling of the standards specified by the provided StandardsSubscriptionArns.
cloud aws aws_securityhubDelete Action Target
Detect deletion of a custom action target from Security Hub.
cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsSecurity Hub Delete Members
Detect deletion the specified member accounts from Security Hub.
cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsDisable Import Findings for Product
Detect disabling of the integration of the specified product with Security Hub.
cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsDisable Security Hub
Detect disabling the Security Hub in the current region.
cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsSecurity Hub Disassociate From Master Account
Detect disassociation of the current Security Hub member account from the associated master account.
cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsSecurity Hub Disassociate Members
Detect disassociation of the current Security Hub member account from the associated master account.
cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsUpdate Action Target
Detect updating the name and description of a custom action target in Security Hub.
cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsUpdate Standards Control
Detect enabling or disabling of a standard control.
cloud aws aws_securityhub mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsVPC
Accept VPC Peering Connection
Detect accepting an VPC peering connection.
cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsAttach Internet Gateway
Detect attaching an internet gateway.
cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsCreate a Network ACL Entry Allowing Ingress Open to the World
Detect creation of access control list entry allowing ingress open to the world.
cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsCreate a Network ACL Entry
Detect creating a network ACL entry.
cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsCreate a Network ACL
Detect creating a network ACL.
cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsCreate VPC Route
Detect creating an VPC route.
cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsCreate VPC Peering Connection
Detect creating an VPC peering connection.
cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsCreate VPC with Default Security Group
Detect creation of a new VPC with default security group.
cloud aws aws_vpcCreate VPC with No Flow Log
Detect creation of a new VPC with no flow log.
cloud aws aws_vpcDelete VPC Flow Log
Detect deleting VPC flow log.
cloud aws aws_vpc mitre_TA0005-defense-evasion mitre_T1066-indicator-removal-from-toolsDelete a Network ACL Entry
Detect deletion of a network ACL entry.
cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsDelete a Network ACL
Detect deleting a network ACL.
cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsReplace a Network ACL Association
Detect replacement of a network ACL association.
cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsReplace a Network ACL Entry
Detect replacement of a network ACL entry.
cloud aws aws_vpc mitre_TA0003-persistence mitre_TA0005-defense-evasion mitre_T1108-redundant-access mitre_T1089-disabling-security-toolsWAF
Delete WAF Rule Group
Detect deleting a WAF rule group.
cloud aws aws_waf mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsDelete Web ACL
Detect deleting a web ACL.
cloud aws aws_waf mitre_TA0005-defense-evasion mitre_T1089-disabling-security-toolsOTHER
AWS Command Executed by Untrusted User
Detect AWS command execution by an untrusted user.
cloud awsAWS Command Executed on Unused Region
Detect AWS command execution on unused regions.
cloud aws mitre_T1526-cloud-service-discovery mitre_T1535-unused-unsupported-cloud-regionsFeedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.