- Project Scope
- Directory Structure
- Detection Coverage
- Documentation
- Usage
- Quick Example
- False Positives
- Contributing
This repository contains a collection of 30 threat detection rules for AWS environments, written in SQL (Athena/Snowflake) and JSON (SIGMA-compatible).
The rules focus on identifying high-risk actions in AWS CloudTrail, such as unauthorized IAM deviations, defense evasion techniques, and resource exposure.
- Data Source: AWS CloudTrail Management Events.
- Formats:
detections/json: Structured logic for SIEM ingestion or custom parsers.detections/sql: Standard SQL queries for Amazon Athena.
- Philosophy: Detect behavior, not just configuration.
├── detections/ # The core logic
│ ├── json/ # SIGMA-compatible JSON definitions
│ └── sql/ # Athena-ready SQL queries
├── docs/ # Runbooks and guides
├── examples/ # Sample CloudTrail events for testing
├── athena_setup.sql # Table definition
The rules cover the following tactic categories:
- IAM & Privilege Escalation (e.g.,
Admin Policy Attach,Unusual Role Assumption) - Defense Evasion (e.g.,
Stop CloudTrail,Disable GuardDuty) - Persistence (e.g.,
Create Access Key,EC2 UserData Modification) - Exfiltration (e.g.,
EBS Snapshot Shared,S3 Public Access) - Discovery (e.g.,
Root Account Usage,Unauthorized API Spikes)
See docs/rule_overview.md for a summary of checks.
- Rule Catalog & Runbook: Detailed investigation guides for every rule.
- Detection Philosophy: Our "high-fidelity" approach to security.
- Simulation Cheat Sheet: AWS CLI commands to safely trigger these rules.
- Troubleshooting: Solutions for Athena errors and missing alerts.
- False Positive Guidance: How to tune rules for your environment.
You can run the .sql files directly against your CloudTrail table in Athena.
See athena_setup.sql for table creation.
The .json files provide a platform-agnostic definition of the logic.
tags: Includes MITRE ATT&CK mapping (e.g.,mitre_t1562).query: Boolean logic mapping to CloudTrail fields.
Detecting Root Account Usage (which should be rare):
SELECT
eventTime,
eventName,
sourceIPAddress,
userAgent,
userIdentity.arn
FROM
cloudtrail_logs
WHERE
userIdentity.type = 'Root'
AND userIdentity.invokedBy IS NULL
AND eventTime > current_timestamp - interval '1' hour;These rules are designed to alert on significant security events, but they require tuning.
A delete_trail event is a critical alert in a stable production account, but it is expected behavior in a developer sandbox.
See docs/false_positive_guidance.md for tuning advice.
We welcome contributions! Please see CONTRIBUTING.md for rule standards and PR guidelines.
This is an open-source project and is not affiliated with Amazon Web Services (AWS). These rules are provided "as is" without warranty. Users should test and validate rules in non-production environments before deploying them.
MIT License. See LICENSE for details.