heroui logo

AWS Logging Enumeration

Anvilogic Forge

View Source
Summary
This threat detection rule is designed to monitor and identify suspicious AWS API calls that are commonly associated with logging enumeration. When deployed, it captures events logged by AWS CloudTrail within the last two hours, filtering for specific API calls indicative of an attacker enumerating logging and monitoring configuration. The relevant API calls include 'GetQueryResults,' 'GetBucketLogging,' and others, which help adversaries discover how logging is configured and what resources are monitored. By focusing on these actions, the detection rule aims to highlight potential reconnaissance activity within the AWS environment that could lead to further exploitation or data breaches. The insights derived from this detection can guide security teams in proactively mitigating risks and enhancing their cloud security posture.
Categories
  • Cloud
  • AWS
Data Sources
  • Cloud Storage
  • Logon Session
ATT&CK Techniques
  • T1580
  • T1082
  • T1526
Created: 2024-02-09