Skip to content

Latest commit

 

History

History
19 lines (17 loc) · 11.9 KB

ds_amazon_aws_guardduty.md

File metadata and controls

19 lines (17 loc) · 11.9 KB
Raw

Vendor: Amazon

Product: AWS GuardDuty

Rules Models MITRE ATT&CK® TTPs Activity Types Parsers
40 16 8 2 24
Use-Case Activity Types (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content
Compromised Credentials database-login:success (database-login)
amazon-awsguardduty-json-database-login-success-rdssuccessfullogin

alert-trigger:success (security-alert)
amazon-awsguardduty-sk4-alert-trigger-success-suspiciousfile-1
amazon-awsguardduty-sk4-alert-trigger-success-torclient
amazon-awsguardduty-sk4-alert-trigger-success-suspiciousfile-2
amazon-awsguardduty-sk4-alert-trigger-success-suspiciousfile-3
amazon-awsguardduty-sk4-alert-trigger-success-bucketblockpublicaccessdisabled
amazon-awsguardduty-sk4-alert-trigger-success-maliciousfile-1
amazon-awsguardduty-sk4-alert-trigger-success-maliciousfile
amazon-awsguardduty-sk4-alert-trigger-success-reconportscan
amazon-awsguardduty-sk4-alert-trigger-success-maliciousfile-2
amazon-awsguardduty-sk4-alert-trigger-success-sshbruteforce-1
amazon-awsguardduty-sk4-alert-trigger-success-maliciousfile-3
amazon-awsguardduty-sk4-alert-trigger-success-toripcaller
amazon-awsguardduty-sk4-alert-trigger-success-sshbruteforce
amazon-awsguardduty-json-alert-trigger-success-guardduty-portprobeunprotectedport
amazon-awsguardduty-sk4-alert-trigger-success-anomalousbehavior
amazon-awsguardduty-cef-alert-trigger-success-catsecurity
amazon-awsguardduty-json-alert-trigger-success-execinkubesystempod
amazon-awsguardduty-sk4-alert-trigger-success-instancecredentialexfiltration
amazon-awsguardduty-sk4-alert-trigger-success-guardduty
amazon-awsguardduty-json-alert-trigger-success-sshbruteforce
amazon-awsguardduty-sk4-alert-trigger-success-anomalousbehavior-1
amazon-awsguardduty-sk4-alert-trigger-success-guardduty-1
amazon-awsguardduty-sk4-alert-trigger-success-guardduty-2
amazon-awsguardduty-sk4-alert-trigger-success-guardduty-4
amazon-awsguardduty-json-alert-trigger-success-catchall
amazon-awsguardduty-sk4-alert-trigger-success-suspiciousfile
amazon-awsguardduty-sk4-alert-trigger-success-rootcredentialusage
amazon-awsguardduty-sk4-alert-trigger-success-suspiciousfile-1
amazon-awsguardduty-sk4-alert-trigger-success-torclient
amazon-awsguardduty-sk4-alert-trigger-success-suspiciousfile-2
amazon-awsguardduty-sk4-alert-trigger-success-suspiciousfile-3
amazon-awsguardduty-sk4-alert-trigger-success-bucketblockpublicaccessdisabled
amazon-awsguardduty-sk4-alert-trigger-success-maliciousfile-1
amazon-awsguardduty-sk4-alert-trigger-success-maliciousfile
amazon-awsguardduty-sk4-alert-trigger-success-reconportscan
amazon-awsguardduty-sk4-alert-trigger-success-maliciousfile-2
amazon-awsguardduty-sk4-alert-trigger-success-sshbruteforce-1
amazon-awsguardduty-sk4-alert-trigger-success-maliciousfile-3
amazon-awsguardduty-sk4-alert-trigger-success-toripcaller
amazon-awsguardduty-sk4-alert-trigger-success-sshbruteforce
amazon-awsguardduty-json-alert-trigger-success-guardduty-portprobeunprotectedport
amazon-awsguardduty-sk4-alert-trigger-success-anomalousbehavior
amazon-awsguardduty-cef-alert-trigger-success-catsecurity
amazon-awsguardduty-json-alert-trigger-success-execinkubesystempod
amazon-awsguardduty-sk4-alert-trigger-success-instancecredentialexfiltration
amazon-awsguardduty-sk4-alert-trigger-success-guardduty
amazon-awsguardduty-json-alert-trigger-success-sshbruteforce
amazon-awsguardduty-sk4-alert-trigger-success-anomalousbehavior-1
amazon-awsguardduty-sk4-alert-trigger-success-guardduty-1
amazon-awsguardduty-sk4-alert-trigger-success-guardduty-2
amazon-awsguardduty-sk4-alert-trigger-success-guardduty-4
amazon-awsguardduty-json-alert-trigger-success-catchall
amazon-awsguardduty-sk4-alert-trigger-success-suspiciousfile
amazon-awsguardduty-sk4-alert-trigger-success-rootcredentialusage
 T1027 - Obfuscated Files or Information
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1213 - Data from Information Repositories
  • 33 Rules
  • 14 Models
Data Access database-login:success (database-login)
amazon-awsguardduty-json-database-login-success-rdssuccessfullogin
 T1213 - Data from Information Repositories
  • 10 Rules
  • 5 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
External Remote Services

Valid Accounts

Exploit Public Fasing Application

 External Remote Services

Valid Accounts

 Valid Accounts

Exploitation for Privilege Escalation

 Obfuscated Files or Information: Indicator Removal from Tools

Valid Accounts

Obfuscated Files or Information

 Data from Information Repositories