Skip to content

Latest commit

 

History

History
26 lines (24 loc) · 14.3 KB

ds_amazon_aws_cloudwatch.md

File metadata and controls

26 lines (24 loc) · 14.3 KB

Vendor: Amazon

Product: AWS CloudWatch

Rules Models MITRE ATT&CK® TTPs Activity Types Parsers
126 46 32 3 6
Use-Case Activity Types (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content
Abnormal Authentication & Access http-traffic:success (web-activity-allowed)
amazon-awscloudwatch-sk4-http-session-awscloudfront

http-session:fail (web-activity-denied)
amazon-awscloudwatch-sk4-http-session-awscloudfront
 T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 6 Rules
  • 6 Models
Compromised Credentials network-traffic:success (netflow-connection)
amazon-awscloudwatch-sk4-network-traffic-success-awsflowlogs
amazon-awscloudwatch-cef-network-traffic-success-cloudwatch
amazon-awscloudwatch-sk4-network-traffic-success-awss3bucket
amazon-awscloudwatch-mix-network-traffic-success-accept
amazon-awscloudwatch-cef-network-traffic-success-reject

http-traffic:success (web-activity-allowed)
amazon-awscloudwatch-sk4-http-session-awscloudfront

http-session:fail (web-activity-denied)
amazon-awscloudwatch-sk4-http-session-awscloudfront
 T1046 - Network Service Scanning
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 41 Rules
  • 23 Models
Cryptomining http-traffic:success (web-activity-allowed)
amazon-awscloudwatch-sk4-http-session-awscloudfront

http-session:fail (web-activity-denied)
amazon-awscloudwatch-sk4-http-session-awscloudfront
 T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1496 - Resource Hijacking
  • 1 Rules
Data Leak http-traffic:success (web-activity-allowed)
amazon-awscloudwatch-sk4-http-session-awscloudfront

http-session:fail (web-activity-denied)
amazon-awscloudwatch-sk4-http-session-awscloudfront
 T1041 - Exfiltration Over C2 Channel
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
  • 6 Rules
  • 2 Models
Phishing http-traffic:success (web-activity-allowed)
amazon-awscloudwatch-sk4-http-session-awscloudfront

http-session:fail (web-activity-denied)
amazon-awscloudwatch-sk4-http-session-awscloudfront
 T1189 - Drive-by Compromise
T1204 - User Execution
T1204.001 - T1204.001
T1534 - Internal Spearphishing
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1598 - T1598
T1598.003 - T1598.003
  • 3 Rules
Privilege Abuse http-traffic:success (web-activity-allowed)
amazon-awscloudwatch-sk4-http-session-awscloudfront

http-session:fail (web-activity-denied)
amazon-awscloudwatch-sk4-http-session-awscloudfront
 T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules
Privileged Activity http-traffic:success (web-activity-allowed)
amazon-awscloudwatch-sk4-http-session-awscloudfront

http-session:fail (web-activity-denied)
amazon-awscloudwatch-sk4-http-session-awscloudfront
 T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
  • 2 Rules
Ransomware http-traffic:success (web-activity-allowed)
amazon-awscloudwatch-sk4-http-session-awscloudfront

http-session:fail (web-activity-denied)
amazon-awscloudwatch-sk4-http-session-awscloudfront
 T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Workforce Protection http-traffic:success (web-activity-allowed)
amazon-awscloudwatch-sk4-http-session-awscloudfront
 T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 4 Rules
  • 2 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Phishing: Spearphishing Link

Valid Accounts

Drive-by Compromise

Exploit Public Fasing Application

Phishing

 User Execution

 Valid Accounts

 Valid Accounts

 Valid Accounts

 Network Service Scanning

Remote System Discovery

 Exploitation of Remote Services

Remote Services

Remote Services: Remote Desktop Protocol

Internal Spearphishing

 Web Service

Application Layer Protocol: File Transfer Protocols

Application Layer Protocol: Web Protocols

Dynamic Resolution

Dynamic Resolution: Domain Generation Algorithms

Proxy: Multi-hop Proxy

Application Layer Protocol

Proxy

 Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration Over C2 Channel

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Exfiltration Over Web Service

 Resource Hijacking