AWS DynamoDB Scan by Unusual User

  1[metadata]
  2creation_date = "2025/03/13"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/03/13"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when an AWS DynamoDB table is scanned by a user who does not typically perform this action. Adversaries may
 11use the Scan operation to collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects
 12unusual user activity by monitoring for the Scan action in CloudTrail logs. This is a New Terms rule that only flags
 13when this behavior is observed by the `aws.cloudtrail.user_identity.arn` for the first time in the last 14 days.
 14"""
 15false_positives = [
 16    """
 17    Legitimate users may scan DynamoDB tables for various reasons, such as data analysis or application functionality.
 18    Ensure that the user has the necessary permissions and that the Scan operation is authorized before taking action.
 19    """,
 20]
 21from = "now-9m"
 22index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 23language = "kuery"
 24license = "Elastic License v2"
 25name = "AWS DynamoDB Scan by Unusual User"
 26note = """## Triage and analysis
 27
 28### Investigating AWS DynamoDB Scan by Unusual User
 29
 30This rule identifies when an AWS DynamoDB table is scanned by a user who does not typically perform this action. Adversaries may use the Scan operation to collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects unusual user activity by monitoring for the Scan action in CloudTrail logs.
 31
 32This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that only flags when this behavior is observed for the first time on a host in the last 14 days.
 33
 34#### Possible Investigation Steps
 35
 36- Identify the Actor: Review the `aws.cloudtrail.user_identity.arn` field to identify the user who requested the subscription. Verify if this actor typically performs such actions and has the necessary permissions. It may be unusual for this activity to originate from certain user types, such as an assumed role or federated user.
 37- Review the Source IP: Check the `source.address` field to determine the source of the request. If the request comes from an unexpected location or IP address, it may indicate a compromised account or unauthorized access.
 38- Analyze the Request Parameters: Examine the `aws.cloudtrail.request_parameters` field to understand the details of the Scan request. Look for any unusual parameters or patterns that may indicate malicious intent. This also details the DynamoDB table being scanned.
 39- Review Access Key: Check the `aws.cloudtrail.user_identity.access_key_id` field to identify the access key used for the request. Determine if this key is associated with a legitimate user or if it has been compromised.
 40
 41
 42### False Positive Analysis
 43
 44- Historical User Actions: If the user has a history of scanning DynamoDB tables for legitimate purposes, this may not be a false positive. Review the user's activity logs to determine if this behavior is consistent with their normal actions.
 45- Automated Processes: Some automated processes or applications may perform scans on DynamoDB tables as part of their functionality. If the user is associated with such a process, this may not be a false positive.
 46
 47### Response and Remediation
 48
 49- Immediate Review and Reversal: If the Scan action is determined to be unauthorized, immediately revoke the user's access to the DynamoDB table and any associated resources. This may involve disabling the user's account or removing their permissions.
 50- Investigate Compromise: If the Scan action is determined to be malicious, investigate the source of the request and any potential compromise of the user's account. This may involve reviewing access logs, resetting passwords, and enabling multi-factor authentication (MFA) for the affected user. If export options were used with the CLI or SDK, they may have been saved locally or to a remote location.
 51- Review IAM Policies: Review the IAM policies associated with the user to ensure that they have the appropriate permissions for their role. If necessary, update the policies to restrict access to sensitive resources.
 52- Monitor for Future Activity: Continue to monitor the user's activity for any further suspicious behavior. Set up additional alerts or logging to detect any future unauthorized access attempts.
 53
 54### Additional Information
 55
 56For further guidance on managing and securing SNS topics in AWS environments, refer to the [AWS SNS documentation](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/security.html) and AWS best practices for security.
 57"""
 58references = ["https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Scan.html"]
 59risk_score = 21
 60rule_id = "96b2a03e-003b-11f0-8541-f661ea17fbcd"
 61setup = "DynamoDB data events must be enabled in CloudTrail to capture the Scan action. Ensure that the AWS CloudTrail service is configured to log data events for DynamoDB tables."
 62severity = "low"
 63tags = [
 64    "Domain: Cloud",
 65    "Data Source: AWS",
 66    "Data Source: Amazon Web Services",
 67    "Data Source: AWS DynamoDB",
 68    "Resources: Investigation Guide",
 69    "Use Case: Threat Detection",
 70    "Tactic: Exfiltration",
 71]
 72timestamp_override = "event.ingested"
 73type = "new_terms"
 74
 75query = '''
 76event.dataset: "aws.cloudtrail"
 77    and event.provider: "dynamodb.amazonaws.com"
 78    and event.action: "Scan"
 79    and event.outcome: "success"
 80'''
 81
 82
 83[[rule.threat]]
 84framework = "MITRE ATT&CK"
 85[[rule.threat.technique]]
 86id = "T1567"
 87name = "Exfiltration Over Web Service"
 88reference = "https://attack.mitre.org/techniques/T1567/"
 89
 90
 91[rule.threat.tactic]
 92id = "TA0010"
 93name = "Exfiltration"
 94reference = "https://attack.mitre.org/tactics/TA0010/"
 95[[rule.threat]]
 96framework = "MITRE ATT&CK"
 97[[rule.threat.technique]]
 98id = "T1530"
 99name = "Data from Cloud Storage"
100reference = "https://attack.mitre.org/techniques/T1530/"
101
102
103[rule.threat.tactic]
104id = "TA0009"
105name = "Collection"
106reference = "https://attack.mitre.org/tactics/TA0009/"
107
108[rule.investigation_fields]
109field_names = [
110    "@timestamp",
111    "user.name",
112    "source.address",
113    "aws.cloudtrail.user_identity.arn",
114    "aws.cloudtrail.user_identity.type",
115    "aws.cloudtrail.user_identity.access_key_id",
116    "user_agent.original",
117    "event.action",
118    "event.outcome",
119    "cloud.region",
120    "aws.cloudtrail.flattened.request_parameters.tableName",
121    "aws.cloudtrail.flattened.response_elements.subscriptionArn",
122    "aws.cloudtrail.request_parameters",
123]
124
125[rule.new_terms]
126field = "new_terms_fields"
127value = ["aws.cloudtrail.user_identity.arn"]
128[[rule.new_terms.history_window_start]]
129field = "history_window_start"
130value = "now-14d"