Last reviewed:
Sigma rule outputs from CloudSigma rendered into Splunk queries against the AWS CloudTrail schema. Every rule is mapped to MITRE ATT&CK and validated against its dialect.
| Technique | Rule | Severity | Log source |
|---|---|---|---|
| T1040 | Network Sniffing on AWS CloudTrail | medium | AWS CloudTrail |
| T1059 | Command and Scripting Interpreter on AWS CloudTrail | medium | AWS CloudTrail |
| T1078 | Valid Accounts on AWS CloudTrail | medium | AWS CloudTrail |
| T1078.004 | Valid Accounts: Cloud Accounts on AWS CloudTrail | medium | AWS CloudTrail |
| T1087 | Account Discovery on AWS CloudTrail | medium | AWS CloudTrail |
| T1087.004 | Account Discovery: Cloud Account on AWS CloudTrail | medium | AWS CloudTrail |
| T1098 | Account Manipulation on AWS CloudTrail | medium | AWS CloudTrail |
| T1098.001 | Account Manipulation: Additional Cloud Credentials on AWS CloudTrail | medium | AWS CloudTrail |
| T1110 | Brute Force on AWS CloudTrail | medium | AWS CloudTrail |
| T1190 | Exploit Public-Facing Application on AWS CloudTrail | medium | AWS CloudTrail |
| T1213 | Data from Information Repositories on AWS CloudTrail | medium | AWS CloudTrail |
| T1485 | Data Destruction on AWS CloudTrail | medium | AWS CloudTrail |
| T1486 | Data Encrypted for Impact on AWS CloudTrail | medium | AWS CloudTrail |
| T1491 | Defacement on AWS CloudTrail | medium | AWS CloudTrail |
| T1496 | Resource Hijacking on AWS CloudTrail | medium | AWS CloudTrail |
| T1498 | Network Denial of Service on AWS CloudTrail | medium | AWS CloudTrail |
| T1525 | Implant Internal Image on AWS CloudTrail | medium | AWS CloudTrail |
| T1526 | Cloud Service Discovery on AWS CloudTrail | medium | AWS CloudTrail |
| T1528 | Steal Application Access Token on AWS CloudTrail | medium | AWS CloudTrail |
| T1530 | Data from Cloud Storage Object on AWS CloudTrail | medium | AWS CloudTrail |
| T1548 | Abuse Elevation Control Mechanism on AWS CloudTrail | medium | AWS CloudTrail |
| T1552.001 | Unsecured Credentials: Credentials In Files on AWS CloudTrail | medium | AWS CloudTrail |
| T1556 | Modify Authentication Process on AWS CloudTrail | medium | AWS CloudTrail |
| T1580 | Cloud Infrastructure Discovery on AWS CloudTrail | medium | AWS CloudTrail |
| T1685 | Disable or Modify Tools on AWS CloudTrail | medium | AWS CloudTrail |
| T1686.001 | Disable or Modify System Firewall: Cloud Firewall on AWS CloudTrail | medium | AWS CloudTrail |
We are not embedding an example rule on this page yet. The rule corpus for this source is still being reviewed against a13e's public embed bar. CloudSigma can generate Sigma rules from CVE advisories, vulnerability disclosures and security research; generate a Splunk-targeted rule there, review it against your local telemetry, then deploy it in your SIEM.