Amazon Web Services

Amazon Web Services Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Solutions Index

Attribute Value
Publisher Microsoft Corporation
Support Tier Microsoft
Support Link https://support.microsoft.com
Categories domains
Version 3.0.7
Author Microsoft
First Published 2022-05-26
Last Updated 2026-01-14
Solution Folder Amazon Web Services
Marketplace Azure Marketplace · Popularity: 🟢 High (89%)

The Amazon Web Services solution for Microsoft Sentinel allows you to enable Security monitoring of AWS services by allowing ingestion of logs from the AWS CloudTrail platform, VPC Flow Logs, AWS GuardDuty and AWS CloudWatch.

Additional Information

Contents

Data Connectors

This solution provides 3 data connector(s):

Tables Used

This solution uses 5 table(s):

Table Used By Connectors Used By Content
AWSCloudTrail Amazon Web Services, Amazon Web Services S3 Analytics, Hunting, Workbooks
AWSCloudWatch Amazon Web Services S3 -
AWSGuardDuty Amazon Web Services S3 Analytics
AWSVPCFlow Amazon Web Services S3 -
AWSWAF Amazon Web Services S3 WAF -

Content Items

This solution includes 100 content item(s):

Content Type Count
Analytic Rules 62
Hunting Queries 36
Workbooks 2

Analytic Rules

Name Severity Tactics Tables Used
AWS Config Service Resource Deletion Attempts Low DefenseEvasion AWSCloudTrail
AWS Guard Duty Alert Medium - AWSGuardDuty
Automatic image scanning disabled for ECR Medium DefenseEvasion AWSCloudTrail
Changes made to AWS CloudTrail logs Low DefenseEvasion AWSCloudTrail
Changes to AWS Elastic Load Balancer security groups Low Persistence AWSCloudTrail
Changes to AWS Security Group ingress and egress settings Low Persistence AWSCloudTrail
Changes to Amazon VPC settings Low PrivilegeEscalation, LateralMovement AWSCloudTrail
Changes to internet facing AWS RDS Database instances Low Persistence AWSCloudTrail
CloudFormation policy created then used for privilege escalation High PrivilegeEscalation AWSCloudTrail
Created CRUD S3 policy and then privilege escalation Medium PrivilegeEscalation AWSCloudTrail
Creating keys with encrypt policy without MFA Medium Impact AWSCloudTrail
Creation of Access Key for IAM User Medium Persistence AWSCloudTrail
Creation of CRUD DynamoDB policy and then privilege escalation. Medium PrivilegeEscalation AWSCloudTrail
Creation of CRUD KMS policy and then privilege escalation Medium PrivilegeEscalation AWSCloudTrail
Creation of CRUD Lambda policy and then privilege escalation Medium PrivilegeEscalation AWSCloudTrail
Creation of DataPipeline policy and then privilege escalation. High PrivilegeEscalation AWSCloudTrail
Creation of EC2 policy and then privilege escalation High PrivilegeEscalation AWSCloudTrail
Creation of Glue policy and then privilege escalation Medium PrivilegeEscalation AWSCloudTrail
Creation of Lambda policy and then privilege escalation Medium PrivilegeEscalation AWSCloudTrail
Creation of SSM policy and then privilege escalation Medium PrivilegeEscalation AWSCloudTrail
Creation of new CRUD IAM policy and then privilege escalation. Medium PrivilegeEscalation AWSCloudTrail
EC2 Startup Shell Script Changed Medium Execution AWSCloudTrail
ECR image scan findings high or critical High Execution AWSCloudTrail
Full Admin policy created and then attached to Roles, Users or Groups Medium PrivilegeEscalation, DefenseEvasion AWSCloudTrail
GuardDuty detector disabled or suspended High DefenseEvasion AWSCloudTrail
Login to AWS Management Console without MFA Low DefenseEvasion, PrivilegeEscalation, Persistence, InitialAccess AWSCloudTrail
Monitor AWS Credential abuse or hijacking Low Discovery AWSCloudTrail
NRT Login to AWS Management Console without MFA Low DefenseEvasion, PrivilegeEscalation, Persistence, InitialAccess AWSCloudTrail
Network ACL with all the open ports to a specified CIDR High DefenseEvasion AWSCloudTrail
Policy version set to default Medium InitialAccess AWSCloudTrail
Privilege escalation via CRUD DynamoDB policy Medium PrivilegeEscalation AWSCloudTrail
Privilege escalation via CRUD IAM policy Medium PrivilegeEscalation AWSCloudTrail
Privilege escalation via CRUD KMS policy Medium PrivilegeEscalation AWSCloudTrail
Privilege escalation via CRUD Lambda policy Medium PrivilegeEscalation AWSCloudTrail
Privilege escalation via CRUD S3 policy Medium PrivilegeEscalation AWSCloudTrail
Privilege escalation via CloudFormation policy Medium PrivilegeEscalation AWSCloudTrail
Privilege escalation via DataPipeline policy Medium PrivilegeEscalation AWSCloudTrail
Privilege escalation via EC2 policy Medium PrivilegeEscalation AWSCloudTrail
Privilege escalation via Glue policy Medium PrivilegeEscalation AWSCloudTrail
Privilege escalation via Lambda policy Medium PrivilegeEscalation AWSCloudTrail
Privilege escalation via SSM policy Medium PrivilegeEscalation AWSCloudTrail
Privilege escalation with AdministratorAccess managed policy Medium PrivilegeEscalation AWSCloudTrail
Privilege escalation with FullAccess managed policy Medium PrivilegeEscalation AWSCloudTrail
Privilege escalation with admin managed policy Medium PrivilegeEscalation AWSCloudTrail
RDS instance publicly exposed Medium Exfiltration AWSCloudTrail
S3 Object Exfiltration from Anonymous User Medium Collection AWSCloudTrail
S3 bucket access point publicly exposed Medium Exfiltration AWSCloudTrail
S3 bucket exposed via ACL Medium Exfiltration AWSCloudTrail
S3 bucket exposed via policy Medium Exfiltration AWSCloudTrail
S3 bucket suspicious ransomware activity High Impact AWSCloudTrail
S3 object publicly exposed Medium Exfiltration AWSCloudTrail
SAML update identity provider High Persistence AWSCloudTrail
SSM document is publicly exposed Medium Discovery AWSCloudTrail
Successful API executed from a Tor exit node High Execution AWSCloudTrail
Successful brute force attack on S3 Bucket. High DefenseEvasion AWSCloudTrail
Suspicious AWS CLI Command Execution Medium Reconnaissance AWSCloudTrail
Suspicious AWS EC2 Compute Resource Deployments Medium Impact AWSCloudTrail
Suspicious command sent to EC2 High Execution AWSCloudTrail
Suspicious overly permissive KMS key policy created High Impact AWSCloudTrail
Tampering to AWS CloudTrail logs High DefenseEvasion AWSCloudTrail
Unauthorized EC2 Instance Setup Attempt Medium ResourceDevelopment AWSCloudTrail
User IAM Enumeration Medium Discovery AWSCloudTrail

Hunting Queries

Name Tactics Tables Used
Bucket versioning suspended Impact AWSCloudTrail
Changes made to AWS IAM objects PrivilegeEscalation, DefenseEvasion AWSCloudTrail
Changes made to AWS IAM policy PrivilegeEscalation, DefenseEvasion AWSCloudTrail
CreateLoginProfile detected Persistence AWSCloudTrail
CreatePolicyVersion with excessive permissions Privilege Escalation AWSCloudTrail
ECR image scan findings low Execution AWSCloudTrail
ECR image scan findings medium Execution AWSCloudTrail
Excessive execution of discovery events Discovery AWSCloudTrail
Failed brute force on S3 bucket Discovery AWSCloudTrail
IAM AccessDenied discovery events Discovery AWSCloudTrail
IAM Privilege Escalation by Instance Profile attachment PrivilegeEscalation AWSCloudTrail
IAM assume role policy brute force Credential Access AWSCloudTrail
Lambda UpdateFunctionCode Execution AWSCloudTrail
Lambda function throttled Impact AWSCloudTrail
Lambda layer imported from external account Persistence AWSCloudTrail
Login profile updated Persistence AWSCloudTrail
Modification of route-table attributes Defense Evasion AWSCloudTrail
Modification of subnet attributes Defense Evasion AWSCloudTrail
Modification of vpc attributes Defense Evasion AWSCloudTrail
Multiple failed login attempts to an existing user without MFA Credential Access AWSCloudTrail
Network ACL deleted Defense Evasion AWSCloudTrail
New AccessKey created for Root user Persistence AWSCloudTrail
New access key created to user Persistence AWSCloudTrail
Privileged role attached to Instance PrivilegeEscalation AWSCloudTrail
RDS instance master password changed Privilege Escalation AWSCloudTrail
Risky role name created Persistence AWSCloudTrail
S3 bucket encryption modified Impact AWSCloudTrail
S3 bucket has been deleted Impact AWSCloudTrail
Suspicious EC2 launched without a key pair Execution AWSCloudTrail
Suspicious activity of STS Token related to Kubernetes worker node Credential Access AWSCloudTrail
Suspicious activity of STS token related to EC2 Credential Access AWSCloudTrail
Suspicious activity of STS token related to ECS Credential Access AWSCloudTrail
Suspicious activity of STS token related to Glue Credential Access AWSCloudTrail
Suspicious activity of STS token related to Lambda Credential Access AWSCloudTrail
Suspicious credential token access of valid IAM Roles InitialAccess, DefenseEvasion AWSCloudTrail
Unused or Unsupported Cloud Regions DefenseEvasion AWSCloudTrail

Workbooks

Name Tables Used
AmazonWebServicesNetworkActivities AWSCloudTrail
AmazonWebServicesUserActivities AWSCloudTrail

Release Notes

Version Date Modified (DD-MM-YYYY) Change History
3.0.8 13-01-2026 Updated non-functional links from Analytic rules and Hunting query
3.0.7 28-07-2025 Fix ChangeToVPC Analytic Rule to ensure it excludes changes to API Gateway
3.0.6 13-06-2025 Updated Amazon Web Services S3 Data connector to include details for the default output format.
3.0.5 10-02-2025 Repackaged to fix ccp grid showing only 1 record and rename of file
3.0.4 13-12-2024 Updated title of Analytic Rule - AWS_LogTampering.yaml
3.0.3 27-05-2024 Updated Hunting Query AWS_FailedBruteForceS3Bucket.yaml and Analytic Rules for missing TTP
3.0.2 05-04-2024 Updated awsS3 Data connector, added new Data Type CloudWatch
3.0.1 22-12-2023 Added new Analytic Rule (AWS Config Service Resource Deletion Attempts)
3.0.0 04-12-2023 Updated Analytical Rule AWS_GuardDuty_template with entity mappings

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Solutions Index