Skip to content

[New Rule] AWS - possible compromised access keys [ML] #1919

New issue
New issue
Open
Open
[New Rule] AWS - possible compromised access keys [ML]#1919
Labels
Domain: Cloud WorkloadsIntegration: AWSAWS related rulesMLmachine learning related ruleRule: NewProposal for new rulebacklogcommunity
@guyrdahan

Description

@guyrdahan
guyrdahan
opened on Apr 12, 2022

Description

AWS IAM users can generate access key credentials to be used in CLI or other API applications, in case of access key+secret leakage it might be difficult to detect the malicious activity, it is possible based on AWS Cloudtrail log and a and machine learning job to detect a possible compromised access keys.

Required Info

Target indexes

logs-aws*

Additional requirements

Machine Learning

Platforms

AWS Cloudtrail

Tested ECS Version

1.6.0

Optional Info

https://www.linkedin.com/pulse/detecting-compromised-access-key-aws-guy-dahan

Query

based on ML job, score threshold 50

New fields required in ECS/data sources for this rule?

user_identity.accessKeyId

Example Data

Metadata

Metadata

Assignees

No one assigned

    Labels

    Domain: Cloud WorkloadsIntegration: AWSAWS related rulesMLmachine learning related ruleRule: NewProposal for new rulebacklogcommunity

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions