AWS DynamoDB Table Exported to S3

  1[metadata]
  2creation_date = "2025/03/13"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/09/08"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when an AWS DynamoDB table is exported to S3. Adversaries may use the ExportTableToPointInTime operation to collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects unusual user activity by monitoring for the ExportTableToPointInTime action in CloudTrail logs. This is a New Terms rule that only flags when this behavior is observed by a user or role for the first time.
 11"""
 12false_positives = [
 13    """
 14    Legitimate users may export DynamoDB tables for various reasons, such as data analysis or backup purposes. Ensure that the user has the necessary permissions and that the ExportTableToPointInTime operation is authorized before taking action.
 15    """,
 16]
 17from = "now-6m"
 18index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 19language = "kuery"
 20license = "Elastic License v2"
 21name = "AWS DynamoDB Table Exported to S3"
 22note = """ ## Triage and analysis
 23
 24### Investigating AWS DynamoDB Table Exported to S3
 25
 26This rule identifies when an AWS DynamoDB table is exported to S3. Adversaries may use the ExportTableToPointInTime operation to collect sensitive information or exfiltrate data from DynamoDB tables. This rule detects unusual user activity by monitoring for the ExportTableToPointInTime action in CloudTrail logs.
 27
 28This is a New Terms rule that only flags when this behavior is observed for the first time.
 29
 30#### Possible Investigation Steps
 31- Identify the Actor: Review the `aws.cloudtrail.user_identity.arn` field to identify the user who requested the export. Verify if this actor typically performs such actions and has the necessary permissions. It may be unusual for this activity to originate from certain user types, such as an assumed role or federated user.
 32- Review the Source IP: Check the `source.ip` field to determine the source of the request. If the request comes from an unexpected location or IP address, it may indicate a compromised account or unauthorized access.
 33- Review Access Key: Check the `aws.cloudtrail.user_identity.access_key_id` field to identify the access key used for the request. Determine if this key has been compromised.
 34- Analyze the Request Parameters: Examine the `aws.cloudtrail.request_parameters` field to understand the details of the ExportTableToPointInTime request. Look for any unusual parameters or patterns that may indicate malicious intent. This also details the DynamoDB table being exported.
 35
 36### False Positive Analysis
 37- Historical User Actions: If the user has a history of exporting DynamoDB tables for legitimate purposes, this may be a false positive. Review the user's activity logs to determine if this behavior is consistent with their normal actions.
 38- Automated Processes: Some automated processes or applications may perform exports on DynamoDB tables as part of their functionality. If the user is associated with such a process, this may be a false positive.
 39
 40### Response and Remediation
 41- Immediate Review and Reversal: If the ExportTableToPointInTime action is determined to be unauthorized, immediately revoke the user's access to the DynamoDB table and any associated resources. This may involve disabling the user's access keys or removing their permissions.
 42- Investigate Compromise: If the ExportTableToPointInTime action is determined to be malicious, investigate the source and destination of the request and any potential compromise of the user's account. If the destination S3 bucket is not known, it may be a sign of data exfiltration and may require incident response.
 43- Review IAM Policies: Review the IAM policies associated with the user to ensure that they have the appropriate permissions for their role. If necessary, update the policies to restrict access to sensitive resources.
 44- Monitor for Future Activity: Continue to monitor the user's activity for any further suspicious behavior. Set up additional alerts or logging to detect any future unauthorized access attempts.
 45
 46### Additional Information
 47
 48For further guidance on managing and securing DynamoDB in AWS environments, refer to the [AWS DynamoDB documentation](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/security.html) and AWS best practices for security.
 49"""
 50references = ["https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_ExportTableToPointInTime.html"]
 51risk_score = 21
 52rule_id = "e8ea6f58-0040-11f0-a243-f661ea17fbcd"
 53severity = "low"
 54tags = [
 55    "Domain: Cloud",
 56    "Data Source: AWS",
 57    "Data Source: Amazon Web Services",
 58    "Data Source: AWS DynamoDB",
 59    "Resources: Investigation Guide",
 60    "Use Case: Threat Detection",
 61    "Tactic: Exfiltration",
 62]
 63timestamp_override = "event.ingested"
 64type = "new_terms"
 65
 66query = '''
 67event.dataset: "aws.cloudtrail"
 68    and event.provider: "dynamodb.amazonaws.com"
 69    and event.action: "ExportTableToPointInTime"
 70    and event.outcome: "success"
 71'''
 72
 73
 74[[rule.threat]]
 75framework = "MITRE ATT&CK"
 76[[rule.threat.technique]]
 77id = "T1567"
 78name = "Exfiltration Over Web Service"
 79reference = "https://attack.mitre.org/techniques/T1567/"
 80[[rule.threat.technique.subtechnique]]
 81id = "T1567.002"
 82name = "Exfiltration to Cloud Storage"
 83reference = "https://attack.mitre.org/techniques/T1567/002/"
 84
 85
 86
 87[rule.threat.tactic]
 88id = "TA0010"
 89name = "Exfiltration"
 90reference = "https://attack.mitre.org/tactics/TA0010/"
 91
 92[rule.investigation_fields]
 93field_names = [
 94    "@timestamp",
 95    "user.name",
 96    "user_agent.original",
 97    "source.ip",
 98    "aws.cloudtrail.user_identity.arn",
 99    "aws.cloudtrail.user_identity.type",
100    "aws.cloudtrail.user_identity.access_key_id",
101    "aws.cloudtrail.resources.arn",     
102    "aws.cloudtrail.resources.type",   
103    "event.action",
104    "event.outcome",
105    "cloud.account.id",
106    "cloud.region",
107    "aws.cloudtrail.request_parameters"
108]
109
110[rule.new_terms]
111field = "new_terms_fields"
112value = ["cloud.account.id", "user.name"]
113[[rule.new_terms.history_window_start]]
114field = "history_window_start"
115value = "now-10d"