| C2 communication attempt indicating infection | DNS, IP, HTTP, TLS | |
| Traffic to a malicious spear phishing site | DNS, HTTP | |
| Traffic to a suspicious young domain impersonating a known brand | DNS, HTTP | |
| AWS API calls by a malicious caller | AWS CloudTrail | |
| AWS API calls indicating setup of mass mailer script | AWS CloudTrail | |
| AWS EC2 credential used from an unknown external location | AWS CloudTrail | |
| AWS WorkMail mailbox exported to a bucket that was made public | AWS CloudTrail | |
| AWS console login from an EC2 instance | AWS CloudTrail | |
| AWS policy modified to allow any principal to assume an IAM role | AWS CloudTrail | |
| AWS root access key created | AWS CloudTrail | |
| Anonymizing circuit setup indicating infection or evasion attempt | IP | |
| Cryptomining indicating infection or resource abuse | DNS, IP, HTTP | |
| Domain resolves to 169.254.169.254 indicating an AWS rebinding attack | DNS, HTTP | |
| Encrypted DNS traffic to a server that supports non-ICANN TLDs | DNS, IP, HTTP | |
| Excessive number of HTTP failures to a known bad destination | HTTP | |
| HTTP GET request to a known bad destination indicating infection | HTTP | |
| HTTP POST to a known bad destination indicating infection | HTTP | |
| Known bad dynamic DNS provider traffic | DNS, HTTP | |
| Known bad tunneling provider traffic | DNS, IP, HTTP | |
| Multiple requests to DGA domains indicating infection | DNS, HTTP | |
| Multiple requests to long hostnames indicating DNS tunneling | DNS, HTTP | |
| Multiple suspicious connections indicating TrickBot infection | DNS, IP, HTTP, TLS | |
| Out-of-band application security testing traffic requiring investigation | DNS, IP, HTTP | |
| Outbound TCP port scan indicating hacking tool use or infection | IP | |
| Quarantine applied to possibly compromised AWS credentials | AWS CloudTrail | |
| Suspicious AWS API calls with root account credentials | AWS CloudTrail | |
| Suspicious IRC traffic indicating infection | DNS, IP | |
| Suspicious SSH session masquerading as a different protocol | IP | |
| Telegram Bot API traffic indicating possible infection | DNS, HTTP | |
| Traffic from multiple sources to a domain impersonating a known brand | DNS, HTTP | |
| Traffic to a known malware distribution site | DNS, IP, HTTP | |
| Traffic to a known sinkhole indicating infection | DNS, IP, HTTP | |
| Traffic to a suspicious domain impersonating a known brand | DNS, HTTP | |
| Traffic to a web server with a suspicious open directory on an unusual port | DNS, IP, HTTP | |
| Traffic to a young suspicious domain containing a brand name | DNS, HTTP | |
| Traffic to malicious infrastructure capturing credentials | DNS, IP, HTTP | |
| AWS API calls with root account access key | AWS CloudTrail | |
| AWS DataSync task initiated to an unknown external account | AWS CloudTrail | |
| AWS EBS snapshot modified to allow public access | AWS CloudTrail | |
| AWS EC2 Windows Adminstrator encrypted password enumeration | AWS CloudTrail | |
| AWS EC2 export task to an unknown S3 bucked initiated | AWS CloudTrail | |
| AWS EC2 instance unexpectedly interacted with the IAM API | AWS CloudTrail | |
| AWS EC2 instances unexpectedly described in multiple regions | AWS CloudTrail | |
| AWS ECR public repository modified to allow global write access | AWS CloudTrail | |
| AWS Elastic IP address transfer to an unknown external account | AWS CloudTrail | |
| AWS GuardDuty disabled | AWS CloudTrail | |
| AWS IAM policy modified to allow access to any resource via suspicious statement | AWS CloudTrail | |
| AWS KMS key modified to allow public access | AWS CloudTrail | |
| AWS RDS export task to an unknown S3 bucket initiated | AWS CloudTrail | |
| AWS RDS snapshot modified to allow public access | AWS CloudTrail | |
| AWS RDS snapshot unexpectedly created and made public | AWS CloudTrail | |
| AWS Route 53 domain transfer to an unknown external account | AWS CloudTrail | |
| AWS S3 bucket accidentally modified to allow public access | AWS CloudTrail | |
| AWS S3 bucket modified to allow public access via suspicious statement | AWS CloudTrail | |
| AWS S3 bucket replication to an unknown external account | AWS CloudTrail | |
| AWS S3 object accessed without TLS | AWS CloudTrail | |
| AWS S3 object accessed without authentication | AWS CloudTrail | |
| AWS S3 object encrypted using an external KMS key | AWS CloudTrail | |
| AWS SES identities discovery via access key | AWS CloudTrail | |
| AWS SNS Topic modified to allow public access | AWS CloudTrail | |
| AWS SQS Queue modified to allow public access | AWS CloudTrail | |
| AWS VPC peering connection to an unknown external account established | AWS CloudTrail | |
| AWS access key created by the root account | AWS CloudTrail | |
| AWS access key used to delete itself unexpectedly | AWS CloudTrail | |
| AWS account password policy changed in a suspicious way | AWS CloudTrail | |
| AWS decoy resource accessed | AWS CloudTrail | |
| AWS policy allows passing any role | AWS CloudTrail | |
| AWS policy allows to perform any action via suspicious statement | AWS CloudTrail | |
| AWS policy suggests denial but allows actions | AWS CloudTrail | |
| AWS policy suggests narrow access but allows broad access | AWS CloudTrail | |
| AWS policy suggests read-only access but allows write actions | AWS CloudTrail | |
| AWS role assumed by an unknown external principal | AWS CloudTrail | |
| AWS root account unexpectedly assumed via temporary credentials | AWS CloudTrail | |
| AWS root password recovery request from an unknown ASN | AWS CloudTrail | |
| AWS service quota unexpectedly described in multiple regions | AWS CloudTrail | |
| Beaconing to a rare domain | DNS, HTTP | |
| Beaconing to a suspicious domain | DNS, HTTP | |
| Cluster of suspicious requests requiring investigation | DNS, IP, HTTP | |
| Excessive number of HTTP failures to a suspicious destination | HTTP | |
| High volume of outbound ICMP traffic indicating tunneling | IP | |
| High volume of outbound traffic over FTP | IP | |
| High volume of outbound traffic over SMB | IP | |
| High volume of outbound traffic over SSH | IP | |
| High volume of reverse DNS lookups indicating scanning activity | DNS | |
| IRC traffic requiring investigation | DNS, IP | |
| Multiple AWS EC2 instances launched unexpectedly | AWS CloudTrail | |
| Multiple connections to suspicious IP destinations | IP | |
| Multiple denied AWS assume role API calls requiring investigation | AWS CloudTrail | |
| Multiple encrypted DNS requests requiring investigation | DNS, IP, HTTP | |
| Multiple requests to a rare domain | DNS, HTTP | |
| Multiple requests to suspicious domains | DNS, HTTP | |
| Multiple unexpected AWS API calls executed in dry run mode | AWS CloudTrail | |
| Outbound SSH session using an uncommon server port | IP | |
| Outbound traffic indicating Denial of Service attack | IP | |
| P2P activity | DNS, IP, HTTP | |
| Potential ransomware note uploaded to an AWS S3 bucket | AWS CloudTrail | |
| Potentially unwanted program or browser extension installed | DNS, IP, HTTP | |
| Several unsuccessful AWS console login attempts from the same IP address for different users | AWS CloudTrail | |
| Successful AWS console login without MFA | AWS CloudTrail | |
| Suspicious AWS API call with account access key | AWS CloudTrail | |
| Suspicious AWS API calls indicating AWS Bedrock model invocation | AWS CloudTrail | |
| Suspicious AWS API calls indicating AWS DynamoDB backup restoration | AWS CloudTrail | |
| Suspicious AWS API calls indicating Cost Explorer discovery | AWS CloudTrail | |
| Suspicious AWS API calls indicating ECS cluster creation | AWS CloudTrail | |
| Suspicious AWS API calls indicating IP set modification | AWS CloudTrail | |
| Suspicious AWS API calls indicating Organizations discovery | AWS CloudTrail | |
| Suspicious AWS API calls indicating RDS data destruction | AWS CloudTrail | |
| Suspicious AWS API calls indicating Route 53 log tampering | AWS CloudTrail | |
| Suspicious AWS API calls indicating S3 ACL modifications | AWS CloudTrail | |
| Suspicious AWS API calls indicating S3 data staging and exfiltration | AWS CloudTrail | |
| Suspicious AWS API calls indicating S3 delete operations | AWS CloudTrail | |
| Suspicious AWS API calls indicating S3 reconnaissance | AWS CloudTrail | |
| Suspicious AWS API calls indicating S3 write operations | AWS CloudTrail | |
| Suspicious AWS API calls indicating SAML activity | AWS CloudTrail | |
| Suspicious AWS API calls indicating SES discovery | AWS CloudTrail | |
| Suspicious AWS API calls indicating STS discovery | AWS CloudTrail | |
| Suspicious AWS API calls indicating WAF disassociation | AWS CloudTrail | |
| Suspicious AWS API calls indicating change of IAM user password | AWS CloudTrail | |
| Suspicious AWS API calls indicating command execution via System Manager | AWS CloudTrail | |
| Suspicious AWS API calls indicating creation of AWS API Gateway key | AWS CloudTrail | |
| Suspicious AWS API calls indicating creation of AWS REST API | AWS CloudTrail | |
| Suspicious AWS API calls indicating data staging and exfiltration | AWS CloudTrail | |
| Suspicious AWS API calls indicating deletion of AWS Elastic File System | AWS CloudTrail | |
| Suspicious AWS API calls indicating deletion of AWS access key | AWS CloudTrail | |
| Suspicious AWS API calls indicating discovery using AWS Tagging API | AWS CloudTrail | |
| Suspicious AWS API calls indicating disruption | AWS CloudTrail | |
| Suspicious AWS API calls indicating evasion | AWS CloudTrail | |
| Suspicious AWS API calls indicating infrastructure modification using CloudFormation | AWS CloudTrail | |
| Suspicious AWS API calls indicating modification of AWS Resource Access Manager | AWS CloudTrail | |
| Suspicious AWS API calls indicating modification of config monitoring | AWS CloudTrail | |
| Suspicious AWS API calls indicating new image being pushed to AWS ECR with latest tag | AWS CloudTrail | |
| Suspicious AWS API calls indicating persistence | AWS CloudTrail | |
| Suspicious AWS API calls indicating privilege escalation | AWS CloudTrail | |
| Suspicious AWS API calls indicating reconnaissance | AWS CloudTrail | |
| Suspicious AWS API calls indicating resource enumeration | AWS CloudTrail | |
| Suspicious AWS API calls indicating retrieval of AWS sign-in token | AWS CloudTrail | |
| Suspicious AWS API calls indicating unauthorized access | AWS CloudTrail | |
| Suspicious AWS IAM user created with generic name | AWS CloudTrail | |
| Suspicious AWS access key created | AWS CloudTrail | |
| Suspicious AWS console login | AWS CloudTrail | |
| Suspicious HTTP GET request requiring investigation | HTTP | |
| Suspicious Tor DNS request | DNS | |
| Suspicious dynamic DNS provider traffic | DNS, HTTP | |
| Suspicious hosting provider traffic | DNS, HTTP | |
| Suspicious traffic to DNS server that supports non-ICANN TLDs | IP | |
| Suspicious traffic to a link-in-bio destination | DNS, HTTP | |
| Suspicious traffic to user survey site indicating possible phishing | AWS CloudTrail | |
| Suspicious tunneling provider traffic | DNS, IP, HTTP | |
| Third-party VPN traffic | DNS, IP, HTTP | |
| Third-party remote access software installed | DNS, IP, HTTP | |
| Traffic from multiple sources to a unique young domain | DNS, HTTP | |
| Traffic over a cleartext protocol exposing content and credentials | IP | |
| Traffic to a TDS mechanism requiring investigation | DNS, HTTP | |
| Traffic to a destination serving malicious JavaScript | DNS, HTTP | |
| Traffic to a free webhook service indicating potential exfiltration | DNS, HTTP | |
| Traffic to a likely malicious domain | DNS, HTTP | |
| Traffic to a suspicious domain containing a brand name | DNS, HTTP | |
| Traffic to a web server with a suspicious open directory | DNS, IP, HTTP | |
| Traffic to a young domain impersonating a known brand | DNS, HTTP | |
| Traffic to an unknown blocklisted destination | AWS CloudTrail | |
| Traffic to an unusual and suspicious port requiring investigation | IP | |
| Unexpected AWS API calls with root account credentials | AWS CloudTrail | |
| Unexpected AWS EC2 Windows Adminstrator encrypted password enumeration | AWS CloudTrail | |
| Unexpected AWS role assumed by an external principal | AWS CloudTrail | |
| Unsuccessful and unexpected attempt to assume AWS root account | AWS CloudTrail | |
| Unusual mail traffic indicating possible implant | IP | |
| User activity from previously unseen ASN | AWS CloudTrail | |
| User activity from previously unseen country | AWS CloudTrail | |
| A large AWS EC2 instance launch with an unusual instance type | AWS CloudTrail | |
| AWS AMI modified to allow public access | AWS CloudTrail | |
| AWS API calls indicating evasion attempts on Amazon Macie | AWS CloudTrail | |
| AWS API calls indicating tampering with SecurityHub findings | AWS CloudTrail | |
| AWS CloudWatch alarm deleted | AWS CloudTrail | |
| AWS CodeBuild project modified to allow public access | AWS CloudTrail | |
| AWS DataSync task initiated unexpectedly | AWS CloudTrail | |
| AWS EBS default encryption disabled | AWS CloudTrail | |
| AWS EC2 export task initiated unexpectedly | AWS CloudTrail | |
| AWS EC2 instance interacted with the IAM API | AWS CloudTrail | |
| AWS EC2 instance launch in a new region | AWS CloudTrail | |
| AWS EC2 instance launches in multiple regions | AWS CloudTrail | |
| AWS EC2 instances described in multiple regions | AWS CloudTrail | |
| AWS ECR image uploaded | AWS CloudTrail | |
| AWS ElastiCache Redis cluster created without encryption at rest | AWS CloudTrail | |
| AWS ElastiCache security group modified unexpectedly | AWS CloudTrail | |
| AWS GuardDuty threat list disabled | AWS CloudTrail | |
| AWS IAM entity created unexpectedly | AWS CloudTrail | |
| AWS IAM login profile created unexpectedly | AWS CloudTrail | |
| AWS IAM login profile unexpectedly modified by a different identity than the owner | AWS CloudTrail | |
| AWS IAM policy granting full or admin access attached | AWS CloudTrail | |
| AWS IAM policy modified to allow access to any resource | AWS CloudTrail | |
| AWS IAM user created with generic name unexpectedly | AWS CloudTrail | |
| AWS IAM user groups discovery | AWS CloudTrail | |
| AWS IAM user profile created without password reset | AWS CloudTrail | |
| AWS KMS customer managed key disabled or scheduled for deletion | AWS CloudTrail | |
| AWS Lambda function modified to allow public invocation | AWS CloudTrail | |
| AWS Lambda functions modified | AWS CloudTrail | |
| AWS Lightsail instance launched unexpectedly | AWS CloudTrail | |
| AWS MFA device disabled unexpectedly | AWS CloudTrail | |
| AWS MFA device registered unexpectedly | AWS CloudTrail | |
| AWS RDS Deletion Protection disabled unexpectedly | AWS CloudTrail | |
| AWS RDS export task initiated unexpectedly | AWS CloudTrail | |
| AWS RDS instance modified to allow public access | AWS CloudTrail | |
| AWS RDS instance password changed unexpectedly | AWS CloudTrail | |
| AWS RDS security group created unexpectedly | AWS CloudTrail | |
| AWS RDS snapshot created and made public | AWS CloudTrail | |
| AWS RDS snapshot created manually | AWS CloudTrail | |
| AWS Roles Anywhere profile created | AWS CloudTrail | |
| AWS Route 53 hosted zone associated with a VPC | AWS CloudTrail | |
| AWS Route 53 public hosted zone created unexpectedly | AWS CloudTrail | |
| AWS S3 bucket modified to allow public access | AWS CloudTrail | |
| AWS S3 bucket versioning suspended unexpectedly | AWS CloudTrail | |
| AWS SES GetAccount action invoked via AccessKey | AWS CloudTrail | |
| AWS SES identity deleted | AWS CloudTrail | |
| AWS SES production access granted | AWS CloudTrail | |
| AWS System Manager encrypted parameter retrieved unexpectedly | AWS CloudTrail | |
| AWS WorkMail mailbox exported | AWS CloudTrail | |
| AWS access key created for a newly registered IAM user | AWS CloudTrail | |
| AWS access key created unexpectedly | AWS CloudTrail | |
| AWS access key used to delete itself | AWS CloudTrail | |
| AWS account created unexpectedly | AWS CloudTrail | |
| AWS account password policy changed in an unexpected way | AWS CloudTrail | |
| AWS account password policy deleted | AWS CloudTrail | |
| AWS identity added to an admin group | AWS CloudTrail | |
| AWS network infrastructure modification opening a wide range of ports | AWS CloudTrail | |
| AWS policy contains unsubstituted template values | AWS CloudTrail | |
| AWS policy that allows to perform any action was added | AWS CloudTrail | |
| AWS root account assumed via temporary credentials | AWS CloudTrail | |
| AWS service quota described in multiple regions | AWS CloudTrail | |
| An AWS account removed itself from the organization | AWS CloudTrail | |
| Connection to an AWS EC2 instance using EC2 Instance Connect by a suspicious user | AWS CloudTrail | |
| Connection to multiple AWS EC2 instances using EC2 Instance Connect | AWS CloudTrail | |
| DNS misconfiguration leading to potential compromise | DNS | |
| Encrypted DNS traffic indicating potential infection or evasion | DNS, IP, HTTP | |
| Excessive number of DNS failures requiring investigation | DNS | |
| Excessive number of HTTP failures to an uncommon destination | HTTP | |
| IAM default policy set to an unexpected version | AWS CloudTrail | |
| IAM role attached to an AWS RDS instance unexpectedly | AWS CloudTrail | |
| Malicious pop-up traffic | DNS, HTTP | |
| Many AWS Route 53 domains registered | AWS CloudTrail | |
| Modification of multiple AWS EC2 instance startup scripts | AWS CloudTrail | |
| Multiple AWS API calls executed in dry run mode | AWS CloudTrail | |
| Multiple AWS EC2 instances launched | AWS CloudTrail | |
| Multiple AWS EC2 instances terminated unexpectedly | AWS CloudTrail | |
| Multiple AWS root password recovery requests | AWS CloudTrail | |
| Multiple denied AWS API calls requiring investigation | AWS CloudTrail | |
| Multiple denied AWS S3 API calls requiring investigation | AWS CloudTrail | |
| Multiple requests to unreachable domains | DNS, HTTP | |
| Outbound RDP traffic indicating brute force activity | IP | |
| Outbound SSH traffic indicating brute force activity | IP | |
| Outbound WinRM traffic indicating brute force activity | IP | |
| Registered domain impersonating a known brand | DNS | |
| Several unsuccessful AWS console login attempts for a user | AWS CloudTrail | |
| Several unsuccessful AWS console login attempts from the same IP address | AWS CloudTrail | |
| Successful AWS console login from a new country | AWS CloudTrail | |
| Suspicious HTTP POST request requiring investigation | HTTP | |
| Traffic to a suspicious IP destination | IP | |
| Traffic to a suspicious domain | DNS, HTTP | |
| Traffic to a valid domain impersonating a known brand | DNS, HTTP | |
| Traffic to a web server with an open directory on an unusual port | DNS, IP, HTTP | |
| Traffic to an IP lookup service | DNS, IP, HTTP | |
| Traffic to an unusual DNS resolver | IP | |
| Traffic to an unusual port requiring investigation | IP | |
| Unexpected AWS API call with account access key | AWS CloudTrail | |
| Unexpected AWS API calls by a likely malicious caller | AWS CloudTrail | |
| Unexpected AWS API calls indicating AWS Bedrock model invocation | AWS CloudTrail | |
| Unexpected AWS API calls indicating AWS DynamoDB backup restoration | AWS CloudTrail | |
| Unexpected AWS API calls indicating Cost Explorer discovery | AWS CloudTrail | |
| Unexpected AWS API calls indicating ECS cluster creation | AWS CloudTrail | |
| Unexpected AWS API calls indicating IP set modification | AWS CloudTrail | |
| Unexpected AWS API calls indicating Organizations discovery | AWS CloudTrail | |
| Unexpected AWS API calls indicating RDS data destruction | AWS CloudTrail | |
| Unexpected AWS API calls indicating Route 53 log tampering | AWS CloudTrail | |
| Unexpected AWS API calls indicating S3 ACL modifications | AWS CloudTrail | |
| Unexpected AWS API calls indicating S3 data staging and exfiltration | AWS CloudTrail | |
| Unexpected AWS API calls indicating S3 delete operations | AWS CloudTrail | |
| Unexpected AWS API calls indicating S3 reconnaissance | AWS CloudTrail | |
| Unexpected AWS API calls indicating S3 write operations | AWS CloudTrail | |
| Unexpected AWS API calls indicating SAML activity | AWS CloudTrail | |
| Unexpected AWS API calls indicating SES discovery | AWS CloudTrail | |
| Unexpected AWS API calls indicating STS discovery | AWS CloudTrail | |
| Unexpected AWS API calls indicating WAF disassociation | AWS CloudTrail | |
| Unexpected AWS API calls indicating change of IAM user password | AWS CloudTrail | |
| Unexpected AWS API calls indicating command execution via System Manager | AWS CloudTrail | |
| Unexpected AWS API calls indicating creation of AWS API Gateway key | AWS CloudTrail | |
| Unexpected AWS API calls indicating creation of AWS REST API | AWS CloudTrail | |
| Unexpected AWS API calls indicating data staging and exfiltration | AWS CloudTrail | |
| Unexpected AWS API calls indicating deletion of AWS Elastic File System | AWS CloudTrail | |
| Unexpected AWS API calls indicating deletion of AWS access key | AWS CloudTrail | |
| Unexpected AWS API calls indicating discovery using AWS Tagging API | AWS CloudTrail | |
| Unexpected AWS API calls indicating disruption | AWS CloudTrail | |
| Unexpected AWS API calls indicating evasion | AWS CloudTrail | |
| Unexpected AWS API calls indicating infrastructure modification using CloudFormation | AWS CloudTrail | |
| Unexpected AWS API calls indicating modification of AWS Resource Access Manager | AWS CloudTrail | |
| Unexpected AWS API calls indicating modification of config monitoring | AWS CloudTrail | |
| Unexpected AWS API calls indicating new image being pushed to AWS ECR with latest tag | AWS CloudTrail | |
| Unexpected AWS API calls indicating persistence | AWS CloudTrail | |
| Unexpected AWS API calls indicating privilege escalation | AWS CloudTrail | |
| Unexpected AWS API calls indicating reconnaissance | AWS CloudTrail | |
| Unexpected AWS API calls indicating resource enumeration | AWS CloudTrail | |
| Unexpected AWS API calls indicating retrieval of AWS sign-in token | AWS CloudTrail | |
| Unexpected AWS API calls indicating unauthorized access | AWS CloudTrail | |
| Unexpected AWS EC2 Windows Adminstrator encrypted password fetch attempt | AWS CloudTrail | |
| Unexpected AWS EC2 instance launch | AWS CloudTrail | |
| Unexpected AWS IAM group deletion | AWS CloudTrail | |
| Unexpected AWS console login | AWS CloudTrail | |
| Unexpected AWS role assumed by a principal | AWS CloudTrail | |
| Unknown dynamic DNS provider traffic | DNS, HTTP | |
| Unknown tunneling provider traffic | DNS, IP, HTTP | |
| Unsuccessful AWS IAM password change attempt | AWS CloudTrail | |
| Unsuccessful attempt to assume AWS root account | AWS CloudTrail | |
| Unusual AWS API calls with root account credentials | AWS CloudTrail | |
| Unusual excessive traffic requiring investigation | IP | |
| User activity from unexpected ASN | AWS CloudTrail | |
| User activity from unexpected country | AWS CloudTrail | |
| AWS AMI Block Public Access disabled for an account | AWS CloudTrail | |
| AWS API calls by a likely malicious caller | AWS CloudTrail | |
| AWS API calls indicating AWS Bedrock model invocation | AWS CloudTrail | |
| AWS API calls indicating Cost Explorer discovery | AWS CloudTrail | |
| AWS API calls indicating ECS cluster creation | AWS CloudTrail | |
| AWS API calls indicating IP set modification | AWS CloudTrail | |
| AWS API calls indicating Organizations discovery | AWS CloudTrail | |
| AWS API calls indicating RDS data destruction | AWS CloudTrail | |
| AWS API calls indicating Route 53 log tampering | AWS CloudTrail | |
| AWS API calls indicating S3 ACL modifications | AWS CloudTrail | |
| AWS API calls indicating S3 data staging and exfiltration | AWS CloudTrail | |
| AWS API calls indicating S3 delete operations | AWS CloudTrail | |
| AWS API calls indicating S3 reconnaissance | AWS CloudTrail | |
| AWS API calls indicating S3 write operations | AWS CloudTrail | |
| AWS API calls indicating SAML activity | AWS CloudTrail | |
| AWS API calls indicating SES discovery | AWS CloudTrail | |
| AWS API calls indicating STS discovery | AWS CloudTrail | |
| AWS API calls indicating WAF disassociation | AWS CloudTrail | |
| AWS API calls indicating change of IAM user password | AWS CloudTrail | |
| AWS API calls indicating command execution via System Manager | AWS CloudTrail | |
| AWS API calls indicating creation of AWS API Gateway key | AWS CloudTrail | |
| AWS API calls indicating creation of AWS REST API | AWS CloudTrail | |
| AWS API calls indicating data staging and exfiltration | AWS CloudTrail | |
| AWS API calls indicating deletion of AWS Elastic File System | AWS CloudTrail | |
| AWS API calls indicating deletion of AWS access key | AWS CloudTrail | |
| AWS API calls indicating discovery using AWS Tagging API | AWS CloudTrail | |
| AWS API calls indicating disruption | AWS CloudTrail | |
| AWS API calls indicating evasion | AWS CloudTrail | |
| AWS API calls indicating infrastructure modification using CloudFormation | AWS CloudTrail | |
| AWS API calls indicating modification of AWS Resource Access Manager | AWS CloudTrail | |
| AWS API calls indicating modification of config monitoring | AWS CloudTrail | |
| AWS API calls indicating new image being pushed to AWS ECR with latest tag | AWS CloudTrail | |
| AWS API calls indicating persistence | AWS CloudTrail | |
| AWS API calls indicating privilege escalation | AWS CloudTrail | |
| AWS API calls indicating reconnaissance | AWS CloudTrail | |
| AWS API calls indicating resource enumeration | AWS CloudTrail | |
| AWS API calls indicating retrieval of AWS sign-in token | AWS CloudTrail | |
| AWS API calls indicating unauthorized access | AWS CloudTrail | |
| AWS API calls with root account credentials | AWS CloudTrail | |
| AWS DataSync task initiated | AWS CloudTrail | |
| AWS DynamoDB table restored from backup | AWS CloudTrail | |
| AWS EBS snapshot Block Public Access disabled for an account | AWS CloudTrail | |
| AWS EC2 Windows Adminstrator encrypted password fetch attempt | AWS CloudTrail | |
| AWS ElastiCache security group modified | AWS CloudTrail | |
| AWS GuardDuty threat list modified | AWS CloudTrail | |
| AWS IAM default policy version set | AWS CloudTrail | |
| AWS IAM group deleted | AWS CloudTrail | |
| AWS IAM login profile created | AWS CloudTrail | |
| AWS IAM login profile modified by a different identity than the owner | AWS CloudTrail | |
| AWS IAM permission boundary deleted | AWS CloudTrail | |
| AWS IAM policy modified | AWS CloudTrail | |
| AWS IAM user created with generic name | AWS CloudTrail | |
| AWS MFA device disabled | AWS CloudTrail | |
| AWS MFA device registered | AWS CloudTrail | |
| AWS RDS Deletion Protection disabled | AWS CloudTrail | |
| AWS RDS instance password changed | AWS CloudTrail | |
| AWS RDS security group created | AWS CloudTrail | |
| AWS Roles Anywhere trust anchor created with an external CA | AWS CloudTrail | |
| AWS Route 53 domain registered | AWS CloudTrail | |
| AWS Route 53 domain transfer lock disabled for an account | AWS CloudTrail | |
| AWS Route 53 domain transfer to an external account | AWS CloudTrail | |
| AWS Route 53 public hosted zone created | AWS CloudTrail | |
| AWS S3 Block Public Access disabled for a bucket | AWS CloudTrail | |
| AWS S3 Block Public Access disabled for an account | AWS CloudTrail | |
| AWS S3 bucket versioning suspended | AWS CloudTrail | |
| AWS S3 server access logging disabled | AWS CloudTrail | |
| AWS SES service modified | AWS CloudTrail | |
| AWS SSO access token created | AWS CloudTrail | |
| AWS System Manager encrypted parameter retrieved | AWS CloudTrail | |
| AWS access key created | AWS CloudTrail | |
| AWS account closed | AWS CloudTrail | |
| AWS account created | AWS CloudTrail | |
| AWS account password policy changed | AWS CloudTrail | |
| AWS role assumed by an external principal with an unexpected user agent | AWS CloudTrail | |
| AWS root password recovery request | AWS CloudTrail | |
| AWS security group modification allowing access from any IP address | AWS CloudTrail | |
| Adversary simulation traffic to a benign destination | DNS, IP, HTTP | |
| Connection to an AWS EC2 instance using EC2 Instance Connect | AWS CloudTrail | |
| Encrypted DNS traffic to a common destination | DNS, IP, HTTP | |
| Enumeration of AWS EC2 instance startup scripts | AWS CloudTrail | |
| IAM role attached to an AWS RDS instance | AWS CloudTrail | |
| Long AWS console session | AWS CloudTrail | |
| Modification of an AWS EC2 instance startup script | AWS CloudTrail | |
| Outbound traffic over SMB requiring investigation | IP | |
| Quarantine self applied to AWS credentials | AWS CloudTrail | |
| Successful AWS console login | AWS CloudTrail | |
| Successful AWS console logins from different locations in a short period | AWS CloudTrail | |
| Traffic to a destination TLD commonly associated with malware | DNS, HTTP | |
| Traffic to a destination with a known HTTP open directory | DNS, IP, HTTP | |
| Traffic to a link-in-bio destination | DNS, HTTP | |
| Traffic to a user survey site | AWS CloudTrail | |
| Traffic to an unknown young domain | DNS, HTTP | |
| Unsuccessful AWS console login attempt | AWS CloudTrail | |