November 15, 2024 - Content Update

We are committed to continuously strengthening security operations for our customers through our innovative DARC Vault fortnightly releases. Just like Microsoft's Patch Tuesday, the DARC Vault serves as a reliable source for enhanced security content, enabling our users to stay ahead of evolving threats.

Each fortnight, we deliver the latest Out-Of-The-Box (OOTB) content that not only introduces brand-new capabilities but also enhances existing detections. This fortnight, we are excited to announce a significant update focused on AWS Cloudtrail and WAF.

Below is a summary of the new additions and improvements:

Summary of Fortnightly Improvements

Content Type

Actions

Count

Detections

New

73

Dashboards

New

4

Reports

New

5

New Detections

#

Name

Description

1

AWS IAM Brute Force of Assume Role Policy

This detection focuses on monitoring AWS CloudTrail for events related to theUpdateAssumeRolePolicyoperation within the IAM service. TheMalformedPolicyDocumentExceptionerror indicates attempts to update an IAM role's assume role's policy with incorrect formatting or invalid content, which may signify brute force attacks targeting IAM policies.

2

AWS Management Console Root Login

This alert identifies successful logins to the AWS Management Console by the Root user. Monitoring these logins is vital as the Root account has unrestricted access to all AWS services and resources. Unusual or unexpected Root logins can signal potential security risks, making it essential to ensure that such access is tightly controlled and monitored.

3

AWS EC2 Network Access Control List Creation

This detection monitors AWS CloudTrail for events associated with the creation of Network Access Control Lists (NACLs) within Amazon EC2. Network ACLs play a key role in controlling inbound and outbound traffic to and from subnets within a VPC. Detecting new NACLs or entries is essential for identifying potential unauthorized configurations that may expose resources to threats.

4

AWS IAM Group Deletion

This detection rule identifies the deletion of AWS Identity and Access Management (IAM) resource groups. While the deletion does not remove individual resources, it eliminates the organizational structure crucial for managing permissions and access. Monitoring these deletions is critical for ensuring proper governance and oversight of IAM configurations, as unauthorized changes could affect security posture and resource management.

5

AWS Redshift Cluster Creation

This detection monitors the creation of Amazon Redshift clusters. TheCreateClusterevent indicates when a new Redshift cluster is initiated. Monitoring this event is crucial for ensuring that only authorized users can create clusters, which can significantly impact your AWS resources and costs.

6

AWS GuardDuty Detector Deletion

This detection identifies the deletion of AWS GuardDuty detectors, which are essential components for monitoring and analyzing security threats within an AWS environment. Deleting a GuardDuty detector removes its ability to detect anomalies, reducing visibility into potential malicious activities and weakening the overall security posture.

7

AWS RDS Cluster Creation

This detection identifies instances ofCreateDBClusterandCreateGlobalClusterevents in AWS CloudTrail, which indicate the creation of Amazon RDS (Relational Database Service) clusters. These events are critical as they signify the establishment of new database clusters, which may affect the overall architecture, data management, and access controls in your environment.

8

AWS WAF Access Control List Deletion

This detection monitors theDeleteWebACLevent within AWS CloudTrail, which occurs when an AWS WAF (Web Application Firewall) access control list (ACL) is deleted. WAF ACLs are crucial for protecting web applications by controlling access based on predefined rules, such as IP address filtering, HTTP header checks, and more.

9

AWS RDS Instance Creation

This detection monitors the creation of new RDS (Relational Database Service) instances in AWS. TheCreateDBInstanceevent indicates when a new database instance is provisioned. Monitoring this event is essential for tracking database deployments, especially to avoid unauthorized or accidental RDS instance creation.

10

AWS Cache Security Group Egress Authorization Changes

This detection monitors changes to AWS Cache Security Group egress rules. TheAuthorizeCacheSecurityGroupEgressevent indicates when outbound rules are added, while theRevokeCacheSecurityGroupEgressevent indicates when they are removed. These events are important for managing and tracking security group egress configurations, which control outbound access for AWS cache resources such as ElastiCache.

11

AWS IAM Password Recovery Requested

This detection rule identifies requests for AWS IAM password recovery. Monitoring these requests is vital, as adversaries may exploit the password recovery process to gain unauthorized access to AWS accounts. Detecting frequent recovery requests can help mitigate potential security threats and protect sensitive resources from compromise.

12

AWS RDS Security Group Creation

This detection monitors for the creation of security groups specifically for Amazon RDS (Relational Database Service) instances. Security groups act as virtual firewalls, controlling inbound and outbound traffic to RDS instances. Monitoring the creation of RDS security groups is important to ensure that only authorized security rules are implemented, preventing unauthorized access to database resources.

13

AWS EC2 Encryption Disabled

This detection monitors for events where the default encryption for Amazon Elastic Block Store (EBS) volumes is disabled. Disabling encryption can expose sensitive data and increase the risk of data breaches, making it critical to track these changes.

14

AWS EC2 Full Network Packet Capture Detected

This detection monitors for the creation of network packet capture resources in AWS EC2, which can enable full packet capture and traffic mirroring. Packet capture is a powerful tool for network monitoring and security analysis but can be sensitive if misused, as it allows access to potentially sensitive data traversing the network.

15

AWS CloudTrail Log Deleted

This detection monitors AWS CloudTrail for occurrences of theDeleteTrailevent, which is logged when a user deletes a CloudTrail trail. CloudTrail provides crucial logging and auditing of AWS account activity, and deletion of trails could indicate an attempt to prevent logging and obscure suspicious actions within the AWS environment.

16

AWS Route Table Created

This detection identifies instances of AWS Route Table creation activities. Route tables are used to direct network traffic within an AWS Virtual Private Cloud (VPC). Monitoring the creation of route tables helps detect unauthorized or unexpected changes in network routing, which could impact security and data flow within the cloud environment.

17

AWS Deletion of RDS Instance or Cluster

This detection monitors for events where Amazon RDS (Relational Database Service) instances or clusters are deleted. Unauthorized or accidental deletion of RDS instances can lead to significant data loss and operational disruptions, making it crucial to track such events.

18

AWS CloudTrail Log Created

This detection monitors the creation of AWS CloudTrail logs. Creating a CloudTrail log is a critical action that ensures all API calls and activities within your AWS environment are logged, which is essential for security and compliance audits.

19

AWS Configuration Recorder Stopped

This detection rule is designed to monitor AWS Config for instances where the configuration recorder has been stopped via theStopConfigurationRecorderaction. The configuration recorder is crucial for tracking configuration changes to AWS resources. Stopping the configuration recorder can create gaps in visibility and auditing, making it a potential indicator of malicious intent or misconfiguration.

20

AWS WAF Rule Deletion

This detection monitors theDeleteRuleandDeleteRuleGroupevents within AWS CloudTrail, which occur when a WAF (Web Application Firewall) rule or rule group is deleted. WAF rules are critical for defining the conditions under which requests are allowed or blocked, and rule groups are collections of such rules that help manage access control for web applications.

21

AWS CloudTrail Log Updated

This detection monitors updates to AWS CloudTrail logs. TheUpdateTrailevent represents changes to an existing CloudTrail configuration, such as modifying log settings, enabling/disabling encryption, or updating the log destination. Monitoring these events helps ensure the integrity of logging configurations and supports compliance by identifying unauthorized modifications.

22

AWS RDS Snapshot Restored

This detection monitors AWS CloudTrail for events related to the restoration of Amazon RDS instances from snapshots. Monitoring this activity is essential as unauthorized or accidental restorations can lead to data loss, exposure of sensitive data, or disruption of service due to unexpected changes in the database state.

23

AWS EC2 Snapshot Activity

This detection focuses on theModifySnapshotAttributeevent within AWS CloudTrail, which is generated when the attributes of an Amazon EC2 snapshot are modified. Modifying snapshot attributes can include actions like changing permissions or sharing snapshots with other AWS accounts. Such activities can pose security risks, especially if sensitive snapshots are inadvertently shared or altered without proper authorization.

24

AWS Access Secret in Secrets Manager

This detection rule identifies attempts to access secrets stored in AWS Secrets Manager. Unauthorized access to these secrets can lead to the theft of sensitive information, including certificates, credentials, and other critical data. Monitoring for such access attempts is vital for protecting sensitive material and preventing potential security breaches in your AWS environment.

25

AWS RDS Instance or Cluster Stoppage

This detection monitors stoppage events for AWS RDS instances and clusters, which can affect application availability. Unauthorized stoppage can lead to service interruptions.

26

AWS IAM User Addition to Group

This notification triggers when an AWS Identity and Access Management (IAM) user is added to a specified group. This change can affect the user’s permissions and access to resources based on the policies associated with the group.

27

AWS IAM Deactivation of MFA Device

This detection identifies occurrences of theDeactivateMFADeviceandDeleteVirtualMFADeviceevents in AWS CloudTrail, which signify the deactivation or deletion of Multi-Factor Authentication (MFA) devices associated with AWS IAM users. MFA provides an additional layer of security by requiring users to provide multiple verification factors, and deactivating or deleting an MFA device can reduce account security, leaving it vulnerable to unauthorized access.

28

AWS STS GetSessionToken Unauthorized Access Detection

This detection rule focuses on monitoring AWS CloudTrail for unauthorized attempts to use theGetSessionTokenaction within the Security Token Service (STS). ThePrepareEnsure that IAM policies are tightly controlled and adhere to the principle of least privilege. Implement strong authentication measures, including multi-factor authentication (MFA), for all IAM users. Detection and AnalysisExplanation of Main Filters:sourcename="AWS-CLOUDTRAIL": Filters for events logged by AWS CloudTrail.eventsource="sts.amazonaws.com": Targets events associated with the Security Token Service (STS).eventname="GetSessionToken": Monitors calls to theGetSessionTokenaction, which issues temporary credentials.GetSessionTokenoperation is used to obtain temporary security credentials that can grant access to AWS resources. Monitoring this action is essential to identify potential unauthorized access by IAM users attempting to gain elevated permissions.

29

AWS Route 53 Domain Transfer Lock Disabled

This detection monitors the disabling of domain transfer locks in AWS Route 53. A domain transfer lock prevents unauthorized transfer of domain ownership, ensuring that domain names remain secure. Disabling this lock may indicate potential unauthorized access or attempts to transfer domain ownership without proper authorization.

30

AWS EC2 Network Access Control List Deletion

This detection monitors the deletion of Network Access Control Lists (ACLs) in Amazon EC2. The eventsDeleteNetworkAclandDeleteNetworkAclEntryindicate when network ACLs or their entries are removed. Monitoring these events is essential for maintaining the security and integrity of your network configurations.

31

AWS IAM Assume Role Policy Update

This detection monitors AWS CloudTrail for events related to updates to IAM Assume Role policies. Monitoring these events is crucial because changes to role policies can affect permissions and access control, potentially leading to security vulnerabilities or unauthorized access.

32

AWS Route53 private hosted zone associated with a VPC

This detection focuses on theAssociateVPCWithHostedZoneevent within AWS CloudTrail, which is generated when a private hosted zone in Amazon Route 53 is associated with a Virtual Private Cloud (VPC). Associating a hosted zone with a VPC allows DNS queries for domain names in the hosted zone to be resolved within that VPC, enabling internal name resolution for resources.

33

AWS SAML Activity

This detection identifies activity related to AWS Security Assertion Markup Language (SAML) integration, which is often used for single sign-on (SSO) with external identity providers. Monitoring SAML-related activities is crucial for ensuring secure authentication and detecting potential misuse or unauthorized changes to SAML configurations.

34

Potential Multiple Failed Root User Login Attempts in AWS Management Console

This detection identifies multiple failed login attempts by the root user in the AWS Management Console, which could indicate brute-force attacks or credential stuffing attempts. Attackers often target the root account due to its high level of privileges, and repeated failed login attempts could signal malicious activities aimed at gaining unauthorized access.

35

AWS Security Group Configuration Change Detection

This detection monitors configuration changes to AWS Security Groups, which can impact network security and access controls. Unauthorized modifications can lead to security vulnerabilities, making it critical to track these events.

36

AWS KMS Customer Managed Key Disabled or Scheduled for Deletion

This detection monitors AWS Key Management Service (KMS) events where customer-managed encryption keys are either disabled or scheduled for deletion. Disabling or deleting keys can prevent encrypted data from being accessed, making it crucial to track these actions for data security and availability.

37

AWS CloudWatch Log Stream Deletion

This detection identifies instances of theDeleteLogStreamevent in AWS CloudTrail, which signifies the deletion of log streams in Amazon CloudWatch Logs. Log streams contain log events, and their deletion can impede monitoring, troubleshooting, and compliance efforts by removing historical data.

38

AWS Config Resource Deletion

This detection monitors the deletion of AWS Config resources, which are crucial for tracking compliance and auditing in your AWS environment. Unauthorized deletions can disrupt your ability to maintain configuration history and compliance status.

39

AWS IAM Group Creation

This detection focuses on theCreateGroupevent within AWS CloudTrail, which is generated when a new IAM group is created in AWS Identity and Access Management (IAM). Creating IAM groups is a critical function that allows for the centralized management of permissions for multiple users. However, improper or unauthorized creation of groups can lead to excessive permissions being granted, which poses a security risk.

40

AWS VPC Flow Logs Deletion

This detection monitors AWS CloudTrail for occurrences of theDeleteFlowLogsevent, which is recorded when VPC (Virtual Private Cloud) flow logs are deleted. VPC flow logs capture IP traffic data for network interfaces within an AWS VPC, providing valuable insights for security and traffic analysis. Unauthorized deletion of these logs could disrupt visibility into network traffic, hindering investigations and incident response efforts.

41

AWS EC2 VM Export-Failure

This detection monitors AWS CloudTrail for events related to failures during the export of EC2 virtual machines (VMs). Monitoring this activity is crucial as export failures can indicate issues with backup processes, unauthorized access attempts, or misconfigurations that could affect data integrity and availability.

42

AWS CloudWatch Alarm Deletion

This detection identifies instances of theDeleteAlarmsevent in AWS CloudTrail, which is triggered when an AWS CloudWatch alarm is deleted. CloudWatch alarms are critical for monitoring the performance and health of AWS resources; they can notify administrators of potential issues or security incidents. Deleting an alarm may indicate an attempt to disrupt monitoring capabilities, potentially obscuring evidence of unauthorized activity.

43

AWS Security Token Service AssumeRole Usage

This detection rule identifies instances of theAssumeRoleAPI being used within AWS Security Token Service (STS).AssumeRoleprovides temporary security credentials that enable users to access AWS resources. Monitoring this usage is crucial, as adversaries may exploit these temporary credentials for lateral movement and privilege escalation, potentially compromising sensitive resources and operations.

44

AWS RDS Snapshot Export

This detection identifies instances of Amazon RDS snapshot exports. Exporting RDS snapshots is used to create backups or migrate data, but unauthorized exports could lead to data exposure. Monitoring snapshot exports helps ensure that database content is only shared by authorized users and aligns with data security policies.

45

AWS Route Table Modified or Deleted

This detection identifies modifications or deletions in AWS route tables, which are critical for controlling network traffic flow and resource accessibility. Monitoring these changes ensures proper network configurations and security in your AWS environment.

46

AWS Execution via System Manager

This detection monitors successful command executions via AWS Systems Manager (SSM). TheSendCommandevent allows administrators to run commands on managed instances remotely. Monitoring this event helps ensure that only authorized commands are executed, which is vital for maintaining system integrity and security.

47

AWS S3 Bucket Configuration Deletion

This detection monitors AWS CloudTrail for events related to the deletion of configuration settings on Amazon S3 buckets. Configuration deletions, such as removing policies or encryption settings, can expose sensitive data to unauthorized access. Monitoring these changes is critical to identify and mitigate risks associated with unauthorized or inadvertent modifications to S3 bucket configurations.

48

AWS CloudTrail Log Suspended

This detection rule focuses on monitoring AWS CloudTrail for instances where logging has been suspended via theStopLoggingaction. This action is used to stop recording API calls made within an AWS account, effectively halting the logging of actions that could be critical for security monitoring and compliance. Identifying this action is vital, as suspending CloudTrail logging can indicate potential malicious activity or attempts to cover tracks after unauthorized access.

49

AWS CloudWatch Log Group Deletion

This detection monitors AWS CloudTrail for occurrences of theDeleteLogGroupevent, which indicates when a CloudWatch log group is deleted. CloudWatch log groups are essential for monitoring and logging application and system activity, providing insights for performance and security analysis. Unauthorized deletion of log groups can severely disrupt monitoring capabilities, hindering the ability to track application behavior or investigate security incidents.

50

AWS RDS Security Group Deletion

This detection helps in identifying the deletion of an Amazon RDS security group, which can impact database access and security. Monitoring such changes is crucial for maintaining the integrity and security of RDS resources.

51

AWS EventBridge Rule Disabled or Deleted

This detection monitors AWS CloudTrail for events related to the disabling or deletion of EventBridge rules. Monitoring these activities is crucial as rules govern the flow of events and actions within AWS environments, and unauthorized changes can disrupt workflows and indicate potential malicious activity.

52

AWS Route 53 Domain Transferred to Another Account

This detection monitors AWS CloudTrail for occurrences of theTransferDomainToAnotherAwsAccountevent, which is logged when a domain managed by AWS Route 53 is transferred to a different AWS account. Domain transfers to external accounts can indicate changes in ownership or, if unauthorized, potential domain hijacking or account compromise.

53

AWS Root Login Without MFA

This detection monitors AWS root account login attempts that occur without multi-factor authentication (MFA). Using the root account without MFA increases the risk of unauthorized access to your AWS resources.

54

Detection of High-Frequency Access to Specific Endpoints

This detection identifies high-frequency access to specific endpoints within a given time frame, which can signal automated or suspicious behavior targeting sensitive APIs or resources. By monitoring requests to a designated URI pattern, this rule helps identify abnormal access patterns, such as API abuse, scraping, or potential brute-force attempts on sensitive endpoints.

55

Anonymous Proxy Usage Detection

This detection monitors for the usage of anonymous proxies in AWS WAF (Web Application Firewall) logs. Identifying high volumes of traffic from anonymous proxies can help detect potential abusive or malicious activity aimed at applications behind the WAF.

56

Rate-Limiting Violations Detection

This detection identifies rate-limiting violations where requests are blocked due to exceeding predefined thresholds. Such violations are often triggered by automated or abusive traffic, which can overwhelm resources or bypass security measures. By focusing on theAWSManagedRulesCommonRuleSetorAWSManagedRulesAmazonIpReputationListrules in AWS WAF logs, this rule helps capture IPs generating excessive requests and violating rate-limits.

57

AWS WAF Access Control List Deletion

This detection identifies instances where an AWS WAF Access Control List (ACL) is deleted. Deleting a Web ACL removes its protective rules from the application layer, potentially leaving the application more vulnerable to attacks. Monitoring such deletions is critical, as malicious actors could attempt to disable security layers by deleting ACLs.

58

AWS WAF Rule or Rule Group Deletion

This detection identifies instances where AWS WAF rules or rule groups are deleted. Rules and rule groups are critical to managing security policies at the application layer. Deleting these resources could weaken the protection of the application by removing important security controls, potentially exposing it to unauthorized access or attacks. Monitoring such deletions helps in identifying potential malicious actions or misconfigurations.

59

Large Request Body Size Inspection

This detection identifies instances where a large request body size is allowed through AWS WAF. Requests with unusually large body sizes may indicate potential attempts to upload malicious content or abuse system resources.

60

Anomalous HTTP Method Alert

This detection identifies anomalous HTTP methods in incoming requests that may indicate suspicious or probing activity. HTTP methods other than the commonGETandPOSTcan sometimes be used by attackers to bypass security controls or exploit misconfigured servers. By identifying requests with unusual HTTP methods, this detection rule can help you spot potential reconnaissance or attack attempts.

61

SQL Injection Attempt Detection

This detection identifies blocked SQL injection (SQLi) attempts, which are flagged by AWS WAF using the AWSManagedRulesSQLiRuleSet. SQL injection is a type of attack where an adversary attempts to inject malicious SQL statements into an application’s input fields, targeting the backend database for unauthorized access or data manipulation. AWS WAF’s managed rule set helps detect and block these attempts by identifying known SQL injection patterns.

62

Identification of Unusual HTTP Methods

This detection identifies requests that use unusual or non-standard HTTP methods, which could be indicative of malicious activity. Attackers often use methods other than common ones like GET, POST, PUT, HEAD, or OPTIONS in attempts to bypass security controls or exploit vulnerabilities.

63

Detection of Requests from Known Malicious IPs

This detection identifies requests coming from known malicious IP addresses by cross-referencing public IP addresses observed in AWS WAF logs with a lookup of IPs flagged by external threat intelligence feeds, such as GreenSnow.

64

Repeated Rule Violations from Specific IPs

This detection identifies IP addresses that trigger repeated rule violations in AWS WAF over a short period. Such activity often indicates an attacker probing the web application firewall (WAF) for weaknesses or attempting to bypass protections.

65

Detection of High-Frequency IP Requests

This detection identifies instances where an IP address exceeds the allowed request frequency as defined by the AWS WAF rate-based rules. High-frequency requests may indicate potential DDoS attacks or other malicious activities.

66

Excessive Request Rate by Source IP

This detection identifies excessive request rates from a single source IP address, which may indicate abusive behavior such as denial-of-service (DoS) attacks, automated scraping, or brute-force attempts. Monitoring and analyzing these request rates helps organizations protect their resources and maintain service availability.

67

Identification of Cross-Site Scripting  Attempts

This detection identifies attempts to exploit Cross-Site Scripting (XSS) vulnerabilities in web applications. Adversaries can inject malicious scripts into web pages, which, when viewed by other users, can lead to compromised sessions, stolen sensitive data, or unauthorized actions. By analyzing patterns in user inputs and web requests, organizations can proactively detect and mitigate XSS attacks.

68

Blocked Requests from Known IPs

This detection identifies instances where multiple requests have been blocked by AWS WAF from known malicious IP addresses, as flagged by theAWSManagedRulesAmazonIpReputationList. Monitoring and analyzing requests blocked from these IPs can reveal potential probing or attack attempts from sources with a history of malicious activity.

69

Potential Abuse of services

This detection identifies potential abuse of services by monitoring requests that exceed a threshold of 150 within a specific time frame. Such high request volumes from the same IP address or country may indicate automated or malicious activity, such as botnets, scraping, or abuse of APIs or web applications. Monitoring these behaviors can help identify misuse or unauthorized access attempts.

70

Increase in Traffic Volume for specific IP

This detection identifies a significant increase in the traffic volume from a specific IP address in AWS WAF logs. Such spikes in traffic may indicate the presence of abnormal or potentially malicious activities, such as attempts to overwhelm the web server or exploit vulnerabilities.

71

Web Access Control List Modified

This detection identifies instances where Web Access Control Lists (Web ACLs) in AWS WAF are modified. Web ACLs are critical components in managing security policies for web applications by controlling traffic based on defined rules. Any unauthorized or unintended modification could alter security controls, potentially exposing the application to security risks. Monitoring these modifications helps in identifying potential misconfigurations or malicious actions.

72

Threats Blocked by WAF from a Single IP

This detection identifies instances where multiple threats are blocked by AWS WAF from a single source IP within a short time frame. A high number of blocked requests from the same IP address often indicates malicious activity, such as probing, brute-force attempts, or other attacks that AWS WAF mitigates. Monitoring these events enables early detection of potential threats and helps in identifying IPs exhibiting suspicious behavior.

73

Suspicious User-Agent Detection

This detection identifies suspicious User-Agent strings in AWS WAF logs, which can indicate automated tools or scripts being used for malicious activities, such as scanning, scraping, or testing for vulnerabilities in web applications.

New Dashboards

Name

AWS - Cloudtrail - IAM and Security Activity

AWS - Cloudtrail - Operations and Access Management

AWS - WAF - Monitoring Insights

AWS - WAF - Security Monitoring

New Reports

Name

AWS - Cloudtrail - Cloud Resource Activity Monitor

AWS - Cloudtrail - System Monitoring Report

AWS - Cloudtrail - Operations Monitoring Report

AWS - WAF - Monitoring Report

AWS - WAF - Security Report