Loading

AWS SNS Topic Created by Rare User

Identifies when an SNS topic is created by a user who does not typically perform this action. Adversaries may create SNS topics to stage capabilities for data exfiltration or other malicious activities. This is a New Terms rule that only flags when this behavior is observed for the first time by a user or role.

Rule type: new_terms
Rule indices:

  • filebeat-*
  • logs-aws.cloudtrail-*

Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-6m
Maximum alerts per execution: ?
References:

Tags:

  • Domain: Cloud
  • Data Source: AWS
  • Data Source: Amazon Web Services
  • Data Source: AWS SNS
  • Resources: Investigation Guide
  • Use Case: Threat Detection
  • Tactic: Resource Development
  • Tactic: Impact

Version: ?
Rule authors:

  • Elastic

Rule license: Elastic License v2

This rule detects the creation of an AWS Simple Notification Service (SNS) topic by a user who does not typically perform this action. Adversaries may create SNS topics to facilitate data exfiltration or other malicious activities.

This is a New Terms rule that only flags when this behavior is observed for the first time by a user or role.

  • User Identity and Role:
    • Examine aws.cloudtrail.user_identity.arn to determine who created the SNS topic.
    • Identify whether the actor assumed a privileged IAM role (aws.cloudtrail.user_identity.type: "AssumedRole") or used a long term access keys (aws.cloudtrail.user_identity.access_key_id).
  • User Agent and Tooling:
    • Check user_agent.original to determine if this action was performed via the AWS CLI, SDK, or Console.
    • If aws-cli was used, review whether it aligns with typical automation or administrative behavior.
  • Source IP and Geographic Location:
    • Review source.ip and source.geo fields to confirm if the request originated from a trusted or unexpected location.
  • Topic Name and Purpose:
    • Check aws.cloudtrail.request_parameters for the SNS topic name and determine whether it appears suspicious (e.g., random strings, unusual keywords).
  • Target Region and Account:
    • Verify cloud.region and cloud.account.id to ensure the SNS topic was created in an expected environment.
  • Associated API Calls:
    • Identify additional actions before or after this event using event.action values like:
      • Subscribe
      • Publish
      • SetTopicAttributes
    • These may indicate follow-up steps taken to misuse the SNS topic.
  • Is This an Isolated Action or a Pattern?
    • Check if this user has previously created SNS topics using historical CloudTrail logs.
    • Look for multiple topic creations in a short period, which may suggest an automation script or malicious behavior.
  • Unusual Role Usage:
    • If aws.cloudtrail.user_identity.arn references an EC2 instance role, verify whether that instance typically performs SNS operations.
  • Potential Data Exfiltration or Persistence:
    • Review whether new subscriptions were added (Subscribe API action) to forward data externally.
    • If an SNS topic was configured to trigger Lambda functions or S3 events, it may indicate an attempt to persist in the environment.
  • Legitimate Usage of SNS:
    • SNS is commonly used for event-driven notifications in AWS.
    • Check whether the SNS topic creation aligns with known DevOps, automation, or monitoring activities.
  • Routine IAM Role Activity:
    • If the user typically interacts with SNS, consider allowlisting expected IAM roles for this action.
  • AWS Services Creating Topics Automatically:
    • Some AWS services may auto-create SNS topics for alerts and monitoring. Confirm whether the creation was system-generated.
  • Confirm Authorization:
    • If the user was not expected to create SNS topics, verify whether their IAM permissions should be restricted.
  • Revoke Unauthorized Access:
    • If unauthorized, disable the access keys or IAM role associated with the event.
  • Monitor for Further SNS Modifications:
    • Set up additional monitoring for SNS Publish or Subscription events (Publish, Subscribe).
  • Enhance IAM Policy Controls:
    • Consider enforcing least privilege IAM policies and enabling multi-factor authentication (MFA) where applicable.
  • Investigate for Persistence:
    • Check whether the SNS topic is being used as a notification channel for Lambda, S3, or other AWS services.
event.dataset: "aws.cloudtrail"
    and event.provider: "sns.amazonaws.com"
    and event.action: "CreateTopic"
    and event.outcome: "success"

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK