AWS SNS Topic Created by Rare User

  1[metadata]
  2creation_date = "2025/02/11"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/09/09"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when an SNS topic is created by a user who does not typically perform this action. Adversaries may create SNS
 11topics to stage capabilities for data exfiltration or other malicious activities. This is a New Terms rule that only flags
 12when this behavior is observed for the first time by a user or role.
 13"""
 14false_positives = [
 15    """
 16    Legitimate users may create SNS topics for legitimate purposes. Ensure that the creation is authorized before taking
 17    action.
 18    """,
 19]
 20from = "now-6m"
 21index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 22language = "kuery"
 23license = "Elastic License v2"
 24name = "AWS SNS Topic Created by Rare User"
 25note = """## Triage and Analysis
 26
 27### Investigating AWS SNS Topic Created by Rare User
 28
 29This rule detects the creation of an AWS Simple Notification Service (SNS) topic by a user who does not typically perform this action. Adversaries may create SNS topics to facilitate data exfiltration or other malicious activities.
 30
 31This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that only flags when this behavior is observed for the first time by a user or role.
 32
 33#### Possible Investigation Steps
 34
 35### Identify the Actor and Context
 36- **User Identity and Role**:
 37  - Examine `aws.cloudtrail.user_identity.arn` to determine **who** created the SNS topic.
 38  - Identify whether the actor assumed a **privileged IAM role** (`aws.cloudtrail.user_identity.type: "AssumedRole"`) or used a long term access keys (`aws.cloudtrail.user_identity.access_key_id`).
 39- **User Agent and Tooling**:
 40  - Check `user_agent.original` to determine if this action was performed via the AWS CLI, SDK, or Console.
 41  - If `aws-cli` was used, review whether it aligns with typical automation or administrative behavior.
 42- **Source IP and Geographic Location**:
 43  - Review `source.ip` and `source.geo` fields to confirm if the request originated from a **trusted** or **unexpected** location.
 44
 45### Evaluate the SNS Topic Creation
 46- **Topic Name and Purpose**:
 47  - Check `aws.cloudtrail.request_parameters` for the **SNS topic name** and determine whether it appears suspicious (e.g., random strings, unusual keywords).
 48- **Target Region and Account**:
 49  - Verify `cloud.region` and `cloud.account.id` to **ensure the SNS topic was created in an expected environment**.
 50- **Associated API Calls**:
 51  - Identify additional actions **before or after** this event using `event.action` values like:
 52    - `Subscribe`
 53    - `Publish`
 54    - `SetTopicAttributes`
 55  - These may indicate follow-up steps taken to misuse the SNS topic.
 56
 57### Analyze Potential Malicious Intent
 58- **Is This an Isolated Action or a Pattern?**
 59  - Check if this **user has previously created SNS topics** using historical CloudTrail logs.
 60  - Look for **multiple topic creations in a short period**, which may suggest an automation script or malicious behavior.
 61- **Unusual Role Usage**:
 62  - If `aws.cloudtrail.user_identity.arn` references an **EC2 instance role**, verify whether that instance typically performs SNS operations.
 63- **Potential Data Exfiltration or Persistence**:
 64  - Review whether **new subscriptions** were added (`Subscribe` API action) to forward data externally.
 65  - If an SNS topic was configured to trigger **Lambda functions or S3 events**, it may indicate an attempt to persist in the environment.
 66
 67## False Positive Analysis
 68- **Legitimate Usage of SNS**:
 69  - SNS is commonly used for **event-driven notifications** in AWS.
 70  - Check whether the SNS topic creation aligns with known **DevOps, automation, or monitoring activities**.
 71- **Routine IAM Role Activity**:
 72  - If the user typically interacts with SNS, consider **allowlisting** expected IAM roles for this action.
 73- **AWS Services Creating Topics Automatically**:
 74  - Some AWS services may **auto-create SNS topics** for alerts and monitoring. Confirm whether the creation was system-generated.
 75
 76## Response and Remediation
 77- **Confirm Authorization**:
 78  - If the user was not expected to create SNS topics, verify whether their IAM permissions should be restricted.
 79- **Revoke Unauthorized Access**:
 80  - If unauthorized, disable the access keys or IAM role associated with the event.
 81- **Monitor for Further SNS Modifications**:
 82  - Set up additional monitoring for **SNS Publish or Subscription events** (`Publish`, `Subscribe`).
 83- **Enhance IAM Policy Controls**:
 84  - Consider enforcing **least privilege** IAM policies and enabling **multi-factor authentication (MFA)** where applicable.
 85- **Investigate for Persistence**:
 86  - Check whether the SNS topic is **being used as a notification channel for Lambda, S3, or other AWS services**.
 87"""
 88references = [
 89      "https://docs.aws.amazon.com/sns/latest/api/API_CreateTopic.html",
 90      "https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/",
 91      "https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/",
 92]
 93risk_score = 21
 94rule_id = "3c3f65b8-e8b4-11ef-9511-f661ea17fbce"
 95severity = "low"
 96tags = [
 97    "Domain: Cloud",
 98    "Data Source: AWS",
 99    "Data Source: Amazon Web Services",
100    "Data Source: AWS SNS",
101    "Resources: Investigation Guide",
102    "Use Case: Threat Detection",
103    "Tactic: Resource Development",
104    "Tactic: Impact",
105]
106timestamp_override = "event.ingested"
107type = "new_terms"
108
109query = '''
110event.dataset: "aws.cloudtrail"
111    and event.provider: "sns.amazonaws.com"
112    and event.action: "CreateTopic"
113    and event.outcome: "success"
114'''
115
116
117[[rule.threat]]
118framework = "MITRE ATT&CK"
119[[rule.threat.technique]]
120id = "T1608"
121name = "Stage Capabilities"
122reference = "https://attack.mitre.org/techniques/T1608/"
123
124
125[rule.threat.tactic]
126id = "TA0042"
127name = "Resource Development"
128reference = "https://attack.mitre.org/tactics/TA0042/"
129[[rule.threat]]
130framework = "MITRE ATT&CK"
131[[rule.threat.technique]]
132id = "T1496"
133name = "Resource Hijacking"
134reference = "https://attack.mitre.org/techniques/T1496/"
135[[rule.threat.technique.subtechnique]]
136id = "T1496.004"
137name = "Cloud Service Hijacking"
138reference = "https://attack.mitre.org/techniques/T1496/004/"
139
140
141[rule.threat.tactic]
142id = "TA0040"
143name = "Impact"
144reference = "https://attack.mitre.org/tactics/TA0040/"
145
146[rule.investigation_fields]
147field_names = [
148    "@timestamp",
149    "user.name",
150    "user_agent.original",
151    "source.ip",
152    "aws.cloudtrail.user_identity.arn",
153    "aws.cloudtrail.user_identity.type",
154    "aws.cloudtrail.user_identity.access_key_id",
155    "event.action",
156    "event.outcome",
157    "cloud.account.id",
158    "cloud.region",
159    "aws.cloudtrail.request_parameters",
160    "aws.cloudtrail.response_elements"
161]
162[rule.new_terms]
163field = "new_terms_fields"
164value = ["cloud.account.id", "user.name"]
165[[rule.new_terms.history_window_start]]
166field = "history_window_start"
167value = "now-10d"