A new Alert Pack has been released on Devo Exchange!
Alert Pack: AWS
This out of the box alert pack brings you alerts that can help you quickly obtain quick coverage of your AWS environment. This Alert pack contains over 50 Alerts!
Security Operations Application is not required for this pack. However if you do have the Security Operations Application you can download these alerts from the Content Manager and benefit from additional data enrichments.
Learn more in our Documentation Portal!
Download Directly from Devo Exchange!
Here is a sample of 5 of the alerts included in this pack
SecOpsAWSCreateaccesskey - This search looks for AWS CloudTrail events where a user, who already has permission to create access keys, makes an API call to create access keys for a second user.
SecOpsAWSUpdateloginprofile - A user has updated the login profile of a different user. This could indicate that a privilege escalation is being performed leveraging the user which login profile has been updated.
SecOpsAwsRoleCreated - Detects actions taken to create new IAM roles in AWS.
SecOpsAWSIAMPolicyAppliedToRole - It was detected that a policy has been attached to a role, these kind of events should be checked since they could be granting excessive access permissions to AWS services or resources.
SecOpsLog4ShellVulnerabilityCloudAWS - Checks for attempts of exploiting CVE-2021-44228 as known as Log4shell. The query contained in this alert can generate high volumes of events due to the nature of the attack pattern. Tunning the alert to your environment is recommended.