AWS SNS Email Subscription by Rare User

Last updated 14 days ago on 2024-11-07

Created 20 days ago on 2024-11-01

About

Identifies when an SNS topic is subscribed to by an email address of a user who does not typically perform this action. Adversaries may subscribe to an SNS topic to collect sensitive information or exfiltrate data via an external email address.

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS SNSUse Case: Threat DetectionTactic: Exfiltration

Severity

low

Risk Score

MITRE ATT&CK™

Exfiltration (TA0010)(opens in a new tab or window)

↳ Exfiltration Over Web Service (T1567)(opens in a new tab or window)

False Positive Examples

Legitimate users may subscribe to SNS topics for legitimate purposes. Ensure that the subscription is authorized and the subscription email address is known before taking action.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-aws.cloudtrail-*
Related Integrations: aws(opens in a new tab or window)
Query

event.dataset: "aws.cloudtrail"
    and event.provider: "sns.amazonaws.com"
    and event.action: "Subscribe"
    and aws.cloudtrail.request_parameters: *protocol=email*

Install detection rules in Elastic Security

Detect AWS SNS Email Subscription by Rare User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).