# Wazuh Custom Rules — AWS CloudTrail Multi-Org # Rule IDs: 100100-100599 (local_rules.xml) # MITRE ATT&CK coverage for AWS environments # Replace ORG-ACCOUNT-ID placeholders with actual account ID ranges aws-cloudtrail PutBucketAcl ALLUSERS|authenticated-read|http://acs.amazonaws.com/groups/global/AllUsers|http://acs.amazonaws.com/groups/global/AuthenticatedUsers AWS S3 bucket ACL modified to public access — data exposure risk aws,cloudtrail,s3,data_exposure T0899 aws-cloudtrail AttachUserPolicy AdministratorAccess|arn:aws:iam::aws:policy/AdministratorAccess Administrator access policy attached to IAM user — privilege escalation aws,cloudtrail,privilege_escalation T1098 aws-cloudtrail ConsoleLogin Root Success AWS Root account used for console login — critical privilege escalation aws,cloudtrail,privileged_account T1078.004 aws-cloudtrail CreateUser . New IAM user created aws,cloudtrail,persistence T0859 aws-cloudtrail StopLogging .*CloudTrail.* CloudTrail logging stopped — possible attacker evasion aws,cloudtrail,defense_evasion T1070 aws-cloudtrail DeleteFlowLogs VPC Flow Logs deleted — possible attacker evasion aws,cloudtrail,defense_evasion T1070 aws-cloudtrail CreateAccessKey IAMUser AWS access key created for IAM user — possible credential harvesting aws,cloudtrail,credential_access T1552 aws-cloudtrail UpdateAccountPasswordPolicy AWS account password policy modified — potential security downgrade aws,cloudtrail,defense_evasion aws-cloudtrail ConsoleLogin Failure 5 10m Multiple failed AWS console login attempts from same IP — possible brute force aws,cloudtrail,authentication_failure,brute_force T1110 aws-cloudtrail ConsoleLogin Success IAMUser AWS console login by IAM user — verify against known IP list aws,cloudtrail,authentication T1078.004 aws-cloudtrail PutAccountPolicy arn:aws:iam::.*:policy/.* Account-level IAM policy modified — review for misconfiguration aws,cloudtrail,policy_change aws-cloudtrail StartSession AWS-StartPortForwardingSession SSM Session Manager port forwarding started — possible lateral movement aws,cloudtrail,lateral_movement,ssm T1021.008 aws-cloudtrail CreateRole New IAM role created — possible persistence aws,cloudtrail,persistence T0859 aws-cloudtrail UpdateFunctionConfiguration|PublishFunctionVersion lambda Lambda function configuration changed — possible code injection aws,cloudtrail,execution,lambda T1059 aws-cloudtrail CreateTrail true New multi-region CloudTrail created — verify it's legitimate aws,cloudtrail,defense_evasion aws-cloudtrail RunInstances false EC2 instance launched — verify against baseline aws,cloudtrail,execution aws-cloudtrail AuthorizeSecurityGroupIngress 0\.0\.0\.0/0|::/0 Security group rule added allowing 0.0.0.0/0 ingress — verify necessity aws,cloudtrail,exposure aws-cloudtrail CreateUser New IAM user created aws,cloudtrail,persistence T0859 aws-cloudtrail CreateTrail New CloudTrail trail created aws,cloudtrail,audit aws-cloudtrail PutBucketPolicy S3 bucket policy modified aws,cloudtrail,s3 aws-cloudtrail DeleteVirtualMFADevice MFA device deleted — possible adversary removing multi-factor auth aws,cloudtrail,defense_evasion,persistence T1556 aws-cloudtrail . . AWS API call returned error — possible reconnaissance activity aws,cloudtrail,reconnaissance aws-cloudtrail CreateTopic SNS topic created aws,cloudtrail,informational aws-cloudtrail PutMetricAlarm CloudWatch alarm created aws,cloudtrail,informational aws-cloudtrail AccessDenied 20 5m 20+ AccessDenied errors from same IP — possible credential testing aws,cloudtrail,reconnaissance,brute_force T1110 aws-cloudtrail ConsoleLogin Failure 10 15m Multiple failed console logins for same user — possible brute force aws,cloudtrail,authentication_failure,brute_force T1110 vpc-flowlogs REJECT 30 5m Port scan detected: 30+ rejected connections from same source IP in 5 minutes aws,vpc,reconnaissance,port_scan T1046