Cloud Recon to Change Detector
The Cloud Recon to Change Detector identifies unusual exfiltration of AWS RDS and related AWS service data by a user. Secureworks® Taegis™ XDR records users’ API usage at the API action name level and scans incoming events for behavior that statistically exceeds what has been previously observed. This detector correlates anomalous behaviors for multiple event names, across different categories of event name, to alert malicious activity with higher confidence.
Cloud Recon to Change Alert
Requirements ⫘
This detector requires the following data sources, integrations, or schemas:
- Cloud User Unusual Recon
- Cloud User Unusual State Modification
Inputs ⫘
Detections are from the following normalized sources:
- AWS CloudAudit
Each sub-detector scans for events in fixed time windows for occurrences where the number of events with the same event name is higher than the number generated by the user. The sub-detectors scan for different sets of event names and uses different thresholds for what is defined as anomalous. Detections from these sub-detectors are not searchable in XDR.
Event names with behaviors categorized reconnaissance or state modification are decided by internal definition. Reconnaissance events are associated with users gathering information in the cloud environment; state change denotes actions where the user copies, deletes, or otherwise changes cloud data.
Reconnaissance and state modification detections are correlated for the same user. If an anomalous reconnaissance behavior is followed by an anomalous state modification behavior within a short window, an alert is created.
The Cloud Recon to Change Detector supports AWS CloudAudit events. The API action logged in the event must be an exact match to one of the reconnaissance or state modification actions that the sub-detectors are scanning for.
Outputs ⫘
Alerts from this detector are pushed to the XDR Alert Database and Alert Triage Dashboard.
Configuration Options ⫘
This detector is enabled by default when the required data sources or integrations are available in the tenant.
MITRE ATT&CK Category ⫘
- MITRE Enterprise ATT&CK - Cloud Service Discovery. For more information, see MITRE Technique T1526.
Detector Testing ⫘
This detector does not have a supported testing method, though an Advanced Search will verify if alerts originated with this detector.
Note
If no supported testing method is available, an Advanced Search will show you if any alerts came from this detector if a qualifying event was observed. A search with no results does not indicate the detector is not working. A lack of search results for the detector may only indicate that the specific attack has not been observed in the tenant. However, it could indicate the underlying data is not available. Ensure the required schemas are provided in Data Sources along with the supported device type(s) for that schema.
FROM alert WHERE metadata.creator.detector.detector_id='app:detect:cloud-unusual-recon-user'
References ⫘
- Schemas