Amazon Web Services

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Solutions Index

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com
Categories	Security - Cloud Security
Version	3.0.10
Author	Microsoft
First Published	2022-05-26
Last Updated	2026-05-29
Solution Folder	Amazon Web Services
Marketplace	Azure Marketplace · Popularity: 🟢 High (90%)

The Amazon Web Services solution for Microsoft Sentinel allows you to enable Security monitoring of AWS services by allowing ingestion of logs from the AWS CloudTrail platform, VPC Flow Logs, AWS GuardDuty and AWS CloudWatch.

Additional Information

📖 Setup Guide: Connect Microsoft Sentinel to AWS - Configure your AWS environment for Microsoft Sentinel integration
📖 Related Documentation: AWS service logs - Ingest AWS service logs into Microsoft Sentinel
📖 Related Documentation: Enable attack disruption on AWS - Configure automatic attack disruption for AWS
📖 Troubleshooting: Troubleshoot AWS S3 connector issues - Resolve common AWS S3 connector problems

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 3 data connector(s):

Tables Used

This solution uses 5 table(s):

Table	Used By Connectors	Used By Content
`AWSCloudTrail`	Amazon Web Services, Amazon Web Services S3	Analytics, Hunting, Workbooks
`AWSCloudWatch`	Amazon Web Services S3	-
`AWSGuardDuty`	Amazon Web Services S3	Analytics
`AWSVPCFlow`	Amazon Web Services S3	-
`AWSWAF`	Amazon Web Services S3 WAF	-

Content Items

This solution includes 100 content item(s):

Content Type	Count
Analytic Rules	62
Hunting Queries	36
Workbooks	2

Analytic Rules

Name	Severity	Tactics	Tables Used
AWSCloudTrail - AWS GuardDuty detector disabled or suspended	High	DefenseEvasion	`AWSCloudTrail`
AWSCloudTrail - Amazon ECR image scanning disabled	Medium	DefenseEvasion	`AWSCloudTrail`
AWSCloudTrail - Changes made to AWS CloudTrail logs	Low	DefenseEvasion	`AWSCloudTrail`
AWSCloudTrail - Changes to AWS Elastic Load Balancer security groups	Low	DefenseEvasion	`AWSCloudTrail`
AWSCloudTrail - Changes to AWS Security Group ingress and egress settings	Low	DefenseEvasion	`AWSCloudTrail`
AWSCloudTrail - Changes to Amazon VPC settings	Low	PrivilegeEscalation, DefenseEvasion	`AWSCloudTrail`
AWSCloudTrail - Changes to internet facing AWS RDS Database instances	Low	Persistence, PrivilegeEscalation, DefenseEvasion	`AWSCloudTrail`
AWSCloudTrail - CloudFormation policy created then used for privilege escalation	High	DefenseEvasion, PrivilegeEscalation, Persistence	`AWSCloudTrail`
AWSCloudTrail - Config Service Resource Deletion Attempts	Low	DefenseEvasion	`AWSCloudTrail`
AWSCloudTrail - Created CRUD S3 policy and then privilege escalation	Medium	DefenseEvasion, PrivilegeEscalation, Persistence	`AWSCloudTrail`
AWSCloudTrail - Creating keys with encrypt policy without MFA	Medium	Impact	`AWSCloudTrail`
AWSCloudTrail - Creation of Access Key for IAM User	Medium	Persistence	`AWSCloudTrail`
AWSCloudTrail - Creation of CRUD DynamoDB policy and then privilege escalation	Medium	DefenseEvasion, PrivilegeEscalation, Persistence	`AWSCloudTrail`
AWSCloudTrail - Creation of CRUD KMS policy and then privilege escalation	Medium	DefenseEvasion, PrivilegeEscalation, Persistence	`AWSCloudTrail`
AWSCloudTrail - Creation of CRUD Lambda policy and then privilege escalation	Medium	DefenseEvasion, PrivilegeEscalation, Persistence	`AWSCloudTrail`
AWSCloudTrail - Creation of DataPipeline policy and then privilege escalation	High	DefenseEvasion, PrivilegeEscalation, Persistence	`AWSCloudTrail`
AWSCloudTrail - Creation of EC2 policy and then privilege escalation	High	DefenseEvasion, PrivilegeEscalation, Persistence	`AWSCloudTrail`
AWSCloudTrail - Creation of Glue policy and then privilege escalation	Medium	DefenseEvasion, PrivilegeEscalation, Persistence	`AWSCloudTrail`
AWSCloudTrail - Creation of Lambda policy and then privilege escalation	Medium	DefenseEvasion, PrivilegeEscalation, Persistence	`AWSCloudTrail`
AWSCloudTrail - Creation of SSM policy and then privilege escalation	Medium	DefenseEvasion, PrivilegeEscalation, Persistence	`AWSCloudTrail`
AWSCloudTrail - Creation of new CRUD IAM policy and then privilege escalation	Medium	DefenseEvasion, PrivilegeEscalation, Persistence	`AWSCloudTrail`
AWSCloudTrail - EC2 Startup Shell Script Changed	Medium	Execution	`AWSCloudTrail`
AWSCloudTrail - ECR image scan findings high or critical	High	Discovery	`AWSCloudTrail`
AWSCloudTrail - Full Admin policy created and then attached to Roles, Users or Groups	Medium	PrivilegeEscalation	`AWSCloudTrail`
AWSCloudTrail - Login to AWS Management Console without MFA	Low	DefenseEvasion, PrivilegeEscalation, Persistence, InitialAccess	`AWSCloudTrail`
AWSCloudTrail - Monitor AWS Credential abuse or hijacking	Low	Discovery	`AWSCloudTrail`
AWSCloudTrail - NRT Login to AWS Management Console without MFA	Low	DefenseEvasion, PrivilegeEscalation, Persistence, InitialAccess	`AWSCloudTrail`
AWSCloudTrail - Network ACL with all the open ports to a specified CIDR	High	DefenseEvasion	`AWSCloudTrail`
AWSCloudTrail - Policy version set to default	Medium	PrivilegeEscalation	`AWSCloudTrail`
AWSCloudTrail - Privilege escalation via CRUD DynamoDB policy	Medium	PrivilegeEscalation	`AWSCloudTrail`
AWSCloudTrail - Privilege escalation via CRUD IAM policy	Medium	PrivilegeEscalation	`AWSCloudTrail`
AWSCloudTrail - Privilege escalation via CRUD KMS policy	Medium	PrivilegeEscalation	`AWSCloudTrail`
AWSCloudTrail - Privilege escalation via CRUD Lambda policy	Medium	PrivilegeEscalation	`AWSCloudTrail`
AWSCloudTrail - Privilege escalation via CRUD S3 policy	Medium	PrivilegeEscalation	`AWSCloudTrail`
AWSCloudTrail - Privilege escalation via CloudFormation policy	Medium	PrivilegeEscalation	`AWSCloudTrail`
AWSCloudTrail - Privilege escalation via DataPipeline policy	Medium	PrivilegeEscalation	`AWSCloudTrail`
AWSCloudTrail - Privilege escalation via EC2 policy	Medium	PrivilegeEscalation	`AWSCloudTrail`
AWSCloudTrail - Privilege escalation via Glue policy	Medium	PrivilegeEscalation	`AWSCloudTrail`
AWSCloudTrail - Privilege escalation via Lambda policy	Medium	PrivilegeEscalation	`AWSCloudTrail`
AWSCloudTrail - Privilege escalation via SSM policy	Medium	PrivilegeEscalation	`AWSCloudTrail`
AWSCloudTrail - Privilege escalation with AdministratorAccess managed policy	Medium	PrivilegeEscalation, Persistence	`AWSCloudTrail`
AWSCloudTrail - Privilege escalation with FullAccess managed policy	Medium	PrivilegeEscalation, Persistence	`AWSCloudTrail`
AWSCloudTrail - Privilege escalation with admin managed policy	Medium	PrivilegeEscalation, Persistence	`AWSCloudTrail`
AWSCloudTrail - RDS instance publicly exposed	Medium	Exfiltration	`AWSCloudTrail`
AWSCloudTrail - S3 Object Exfiltration from Anonymous User	Medium	Collection	`AWSCloudTrail`
AWSCloudTrail - S3 bucket access point publicly exposed	Medium	Exfiltration	`AWSCloudTrail`
AWSCloudTrail - S3 bucket exposed via ACL	Medium	Exfiltration	`AWSCloudTrail`
AWSCloudTrail - S3 bucket exposed via policy	Medium	Exfiltration	`AWSCloudTrail`
AWSCloudTrail - S3 bucket suspicious ransomware activity	High	Impact	`AWSCloudTrail`
AWSCloudTrail - S3 object publicly exposed	Medium	Exfiltration	`AWSCloudTrail`
AWSCloudTrail - SAML update identity provider	High	Persistence	`AWSCloudTrail`
AWSCloudTrail - SSM document is publicly exposed	Medium	Discovery	`AWSCloudTrail`
AWSCloudTrail - Successful API executed from a Tor exit node	High	Execution	`AWSCloudTrail`
AWSCloudTrail - Successful brute force attack on S3 Bucket	High	CredentialAccess	`AWSCloudTrail`
AWSCloudTrail - Suspicious AWS CLI Command Execution	Medium	Reconnaissance	`AWSCloudTrail`
AWSCloudTrail - Suspicious AWS EC2 Compute Resource Deployments	Medium	Impact	`AWSCloudTrail`
AWSCloudTrail - Suspicious command sent to EC2	High	Execution	`AWSCloudTrail`
AWSCloudTrail - Suspicious overly permissive KMS key policy created	High	Impact	`AWSCloudTrail`
AWSCloudTrail - Tampering to AWS CloudTrail logs	High	DefenseEvasion	`AWSCloudTrail`
AWSCloudTrail - Unauthorized EC2 Instance Setup Attempt	Medium	ResourceDevelopment	`AWSCloudTrail`
AWSCloudTrail - User IAM Enumeration	Medium	Discovery	`AWSCloudTrail`
AWSGuardDuty - GuardDuty Alert	Medium	-	`AWSGuardDuty`

Hunting Queries

Name	Tactics	Tables Used
AWSCloudTrail - AWS STS token suspicious activity from EC2	CredentialAccess, LateralMovement	`AWSCloudTrail`
AWSCloudTrail - Activity in unused or unsupported cloud regions	DefenseEvasion	`AWSCloudTrail`
AWSCloudTrail - EC2 Instance Launched Without Key Pair	Execution	`AWSCloudTrail`
AWSCloudTrail - ECR Container Image Low Severity Findings	Execution	`AWSCloudTrail`
AWSCloudTrail - ECR Container Image Medium Severity Findings	Execution	`AWSCloudTrail`
AWSCloudTrail - Failed Brute Force on S3 Bucket	Discovery	`AWSCloudTrail`
AWSCloudTrail - High Volume of Enumeration Events	Discovery	`AWSCloudTrail`
AWSCloudTrail - IAM AccessDenied discovery events	Discovery	`AWSCloudTrail`
AWSCloudTrail - IAM Assume Role Brute Force	CredentialAccess, PrivilegeEscalation	`AWSCloudTrail`
AWSCloudTrail - IAM CreateLoginProfile Activity	Persistence, PrivilegeEscalation	`AWSCloudTrail`
AWSCloudTrail - IAM New Access Key Created for User	Persistence, PrivilegeEscalation	`AWSCloudTrail`
AWSCloudTrail - IAM Policy Change Activity	PrivilegeEscalation, DefenseEvasion	`AWSCloudTrail`
AWSCloudTrail - IAM Policy with Excessive Wildcard Permissions	PrivilegeEscalation	`AWSCloudTrail`
AWSCloudTrail - IAM Privilege Escalation by Instance Profile Attachment	PrivilegeEscalation	`AWSCloudTrail`
AWSCloudTrail - IAM Privileged Role Attached to Instance	PrivilegeEscalation	`AWSCloudTrail`
AWSCloudTrail - IAM Risky Role Name Created	Persistence, PrivilegeEscalation	`AWSCloudTrail`
AWSCloudTrail - IAM login profile updated	Persistence	`AWSCloudTrail`
AWSCloudTrail - IAM suspicious STS AssumeRole from unseen identity	InitialAccess, DefenseEvasion, PrivilegeEscalation	`AWSCloudTrail`
AWSCloudTrail - IAM user and group object changes	PrivilegeEscalation, DefenseEvasion	`AWSCloudTrail`
AWSCloudTrail - Lambda function code updated	Execution, Persistence	`AWSCloudTrail`
AWSCloudTrail - Lambda function throttled	Impact	`AWSCloudTrail`
AWSCloudTrail - Lambda layer imported from external account	Persistence, DefenseEvasion	`AWSCloudTrail`
AWSCloudTrail - Multiple Failed Login Attempts Without MFA	CredentialAccess	`AWSCloudTrail`
AWSCloudTrail - Network ACL entry deleted	DefenseEvasion	`AWSCloudTrail`
AWSCloudTrail - RDS Master Password Changed	Persistence, PrivilegeEscalation	`AWSCloudTrail`
AWSCloudTrail - Root User New Access Key Created	Persistence, PrivilegeEscalation	`AWSCloudTrail`
AWSCloudTrail - Route table attribute modifications	DefenseEvasion	`AWSCloudTrail`
AWSCloudTrail - S3 Bucket Deleted	Impact	`AWSCloudTrail`
AWSCloudTrail - S3 Bucket Encryption Configuration Modified	Impact	`AWSCloudTrail`
AWSCloudTrail - S3 Bucket Versioning Suspended	Impact	`AWSCloudTrail`
AWSCloudTrail - STS Token Suspicious Activity from Kubernetes Worker Node	CredentialAccess, LateralMovement	`AWSCloudTrail`
AWSCloudTrail - STS Token Suspicious Activity from Lambda	CredentialAccess, LateralMovement	`AWSCloudTrail`
AWSCloudTrail - STS token suspicious activity from ECS	CredentialAccess, LateralMovement	`AWSCloudTrail`
AWSCloudTrail - STS token suspicious activity from Glue	CredentialAccess, LateralMovement	`AWSCloudTrail`
AWSCloudTrail - Subnet attribute modifications	DefenseEvasion	`AWSCloudTrail`
AWSCloudTrail - VPC attribute modifications	DefenseEvasion	`AWSCloudTrail`

Workbooks

Name	Tables Used
AmazonWebServicesNetworkActivities	`AWSCloudTrail`
AmazonWebServicesUserActivities	`AWSCloudTrail`

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.10	19-05-2026	Added non-analytics tier queries to Amazon Web Services S3 Data Connector to support Basic/Auxiliary plan tables.
3.0.9	18-05-2026	Update AWS Hunting Queries and Workbooks for Quality
3.0.8	13-01-2026	Updated non-functional links from Analytic rules and Hunting query
3.0.7	28-07-2025	Fix ChangeToVPC Analytic Rule to ensure it excludes changes to API Gateway
3.0.6	13-06-2025	Updated Amazon Web Services S3 Data connector to include details for the default output format.
3.0.5	10-02-2025	Repackaged to fix ccp grid showing only 1 record and rename of file
3.0.4	13-12-2024	Updated title of Analytic Rule - AWS_LogTampering.yaml
3.0.3	27-05-2024	Updated Hunting Query AWS_FailedBruteForceS3Bucket.yaml and Analytic Rules for missing TTP
3.0.2	05-04-2024	Updated awsS3 Data connector, added new Data Type CloudWatch
3.0.1	22-12-2023	Added new Analytic Rule (AWS Config Service Resource Deletion Attempts)
3.0.0	04-12-2023	Updated Analytical Rule AWS_GuardDuty_template with entity mappings