heroui logo

SNS Topic Message Publish by Rare User

Elastic Detection Rules

View Source
Summary
This detection rule monitors AWS SNS (Simple Notification Service) activities to identify when a rare user publishes a message to an SNS topic. Adversaries may exploit SNS topics to conduct phishing, data exfiltration, or lateral movement within AWS environments. The rule functions by using historical behavior analysis, specifically tracking users who have not published messages to SNS topics in the last 14 days. Messages sent by these rare users are flagged for further investigation, as they may indicate unauthorized access or malicious intent. The rule includes various investigative steps, such as checking the user identity, validating the access key, reviewing message context, and analyzing the IP address and user agent to identify anomalies. False positives may arise from legitimate new users or automation tools publishing messages. In the event of suspected unauthorized actions, the rule provides guidance for immediate actions and long-term strategy adjustments in monitoring and policy review.
Categories
  • Cloud
  • AWS
Data Sources
  • Cloud Service
  • Network Traffic
  • Process
  • Application Log
ATT&CK Techniques
  • T1534
  • T1567
Created: 2025-01-07