
Summary
This detection rule identifies the creation of AWS Security Groups using AWS CloudTrail logs. AWS Security Groups serve as virtual firewalls for Amazon EC2 instances, permitting or denying inbound and outbound traffic. This rule is critical for monitoring security changes within AWS environments, as unauthorized security group creation can lead to vulnerabilities, such as exposure of sensitive data or unrestricted access to cloud resources. The detection logic is implemented using a SQL-like syntax specific to Snowflake, querying the AWS CloudTrail logs for any 'CreateSecurityGroup' events occurring within the last two hours. Security professionals can utilize this rule to ensure that any changes to security group configurations are tracked and reviewed, as they could indicate potential account manipulation or unauthorized access attempts.
Categories
- Cloud
- AWS
Data Sources
- Cloud Service
- Application Log
ATT&CK Techniques
- T1098
Created: 2024-02-09