Vendor: Amazon

November 29, 2023 · View on GitHub

Product: AWS CloudWatch

Rules	Models	MITRE ATT&CK® TTPs	Activity Types	Parsers
58	24	14	2	2

Use-Case	Activity Types/Parsers	MITRE ATT&CK® TTP	Content
Abnormal Authentication & Access	authentication-failed ↳amazon-awscloudwatch-sk4-app-activity-aws	T1133 - External Remote Services	3 Rules 3 Models
Compromised Credentials	netflow-connection ↳amazon-awscloudwatch-sk4-network-traffic-success-awsflowlogs ↳amazon-awscloudwatch-sk4-network-traffic-success-awss3bucket	T1046 - Network Service Scanning	1 Rules 1 Models
Data Exfiltration	netflow-connection ↳amazon-awscloudwatch-sk4-network-traffic-success-awsflowlogs ↳amazon-awscloudwatch-sk4-network-traffic-success-awss3bucket	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071.002 - Application Layer Protocol: File Transfer Protocols	1 Rules
Lateral Movement	authentication-failed ↳amazon-awscloudwatch-sk4-app-activity-aws netflow-connection ↳amazon-awscloudwatch-sk4-network-traffic-success-awsflowlogs ↳amazon-awscloudwatch-sk4-network-traffic-success-awss3bucket	T1018 - Remote System Discovery T1021 - Remote Services T1021.001 - Remote Services: Remote Desktop Protocol T1046 - Network Service Scanning T1071 - Application Layer Protocol T1078 - Valid Accounts T1090.003 - Proxy: Multi-hop Proxy T1190 - Exploit Public Fasing Application T1210 - Exploitation of Remote Services TA0008 - TA0008 TA0010 - TA0010 TA0011 - TA0011	52 Rules 21 Models
Malware	netflow-connection ↳amazon-awscloudwatch-sk4-network-traffic-success-awsflowlogs ↳amazon-awscloudwatch-sk4-network-traffic-success-awss3bucket	TA0011 - TA0011	3 Rules
Ransomware	authentication-failed ↳amazon-awscloudwatch-sk4-app-activity-aws	T1078 - Valid Accounts	1 Rules

MITRE ATT&CK® Framework for Enterprise

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
External Remote Services Valid Accounts Exploit Public Fasing Application		External Remote Services Valid Accounts	Valid Accounts	Valid Accounts		Network Service Scanning Remote System Discovery	Exploitation of Remote Services Remote Services Remote Services: Remote Desktop Protocol		Application Layer Protocol: File Transfer Protocols Proxy: Multi-hop Proxy Application Layer Protocol Proxy	Exfiltration Over Alternative Protocol Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol