AWS DynamoDB Scan by Unusual User

Last updated 5 months ago on 2025-03-13

Created 5 months ago on 2025-03-13

About

Identifies when an AWS DynamoDB table is scanned by a user who does not typically perform this action. Adversaries may use the Scan operation to collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects unusual user activity by monitoring for the Scan action in CloudTrail logs. This is a New Terms rule that only flags when this behavior is observed by the `aws.cloudtrail.user_identity.arn` for the first time in the last 14 days.

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS DynamoDBUse Case: Threat DetectionTactic: ExfiltrationLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Exfiltration (TA0010)(opens in a new tab or window)

↳ Exfiltration Over Web Service (T1567)(opens in a new tab or window)

Collection (TA0009)(opens in a new tab or window)

↳ Data from Cloud Storage (T1530)(opens in a new tab or window)

False Positive Examples

Legitimate users may scan DynamoDB tables for various reasons, such as data analysis or application functionality. Ensure that the user has the necessary permissions and that the Scan operation is authorized before taking action.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-aws.cloudtrail-*
Related Integrations: aws(opens in a new tab or window)
Query

event.dataset: "aws.cloudtrail"
    and event.provider: "dynamodb.amazonaws.com"
    and event.action: "Scan"
    and event.outcome: "success"

Install detection rules in Elastic Security

Detect AWS DynamoDB Scan by Unusual User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).