from logs-aws.cloudtrail-*
// any successful uploads via S3 API requests
| where
event.dataset == "aws.cloudtrail"
and event.provider == "s3.amazonaws.com"
and event.action == "PutObject"
and event.outcome == "success"
// extract object key from API request parameters
| dissect aws.cloudtrail.request_parameters "%{?ignore_values}key=%{Esql.aws_cloudtrail_request_parameters_object_key}}"
// regex match against common ransomware naming patterns
| where
Esql.aws_cloudtrail_request_parameters_object_key rlike "(.*)(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)(.*)"
and not Esql.aws_cloudtrail_request_parameters_object_key rlike "(.*)(AWSLogs|CloudTrail|access-logs)(.*)"
// keep relevant ECS and derived fields
| keep
tls.client.server_name,
aws.cloudtrail.user_identity.arn,
Esql.aws_cloudtrail_request_parameters_object_key
// aggregate by server name, actor, and object key
| stats
Esql.event_count = count(*)
by
tls.client.server_name,
aws.cloudtrail.user_identity.arn,
Esql.aws_cloudtrail_request_parameters_object_key
// filter for rare single uploads (likely test/detonation)
| where Esql.event_count == 1
Install detection rules in Elastic Security
Detect Potential AWS S3 Bucket Ransomware Note Uploaded in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).