Unexpected User Activity

Overview

This detector will detect api events to the cloud control plane from unexpected users. For immutable infrastructure, api write events should be limited to CI/CD pipeline users or strictly limited to a small set of users.

CloudTrail events with 'readOnly' set to 'false' will trigger this detector.

Users can be specified that should be exempt from triggering this detector. For example, CI/CD users could be exempted.

Vendor

AWS

Input

{
  "exemptUsers": {
    "label": "Exempt Users",
    "helpText": "A list of userName strings that will be exempted from triggering this detector.  Example of IAMUser userIdentity (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).",
    "type": "string[]",
    "value": []
  },
  "exemptRoleUsers": {
    "label": "Exempt Role Users",
    "helpText": "A list of sessionIssuer.userName strings that will be exempted from triggering this detector.  Example of AssumedRole userIdentity (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).",
    "type": "string[]",
    "value": []
  }
}

Overview​

Vendor​

Input​

Severity​

Overview

Vendor

Input

Severity