Reviewing Cloud Anomaly Detection Findings

After Cloud Anomaly Detection is properly configured, InsightCloudSec will log incidents and anomalous behavior in Threat Findings. An anomaly is categorized as a deviation from the observed entity behavior within a time window; this is not necessarily related to a security problem. An incident is categorized as a sequence of anomalies that has a common association to a security problem/threat and requires further investigation. These findings can be distinguished from other threats using two filters (click Add Filter in the top-right):

  • The Event Source is in Rapid7
  • Category is in Anomaly and/or Incident
  • The Audited Environment filter is set to EKS and/or CloudTrail

Click the Finding Type to open a pane that contains details and the finding as a JSON object (with the option to download it).

JSON Finding Details

The table below details the fields that can be found within the finding JSON object as well as if they will appear for an incident and/or anomaly. Review the example for more information and context.

AWS CloudTrail Content

Review the AWS documentation for more information on the CloudTrail record.

Field NameDescriptionIncident SupportAnomaly Support
findingTypeDescription of the detection type
timeTimestamp of the detection in milliseconds since epoch
periodPeriod of anomalous behavior in milliseconds
clusterNameWhen the audited environment is Kubernetes, Google Kubernetes Engine (GKE), Elastic Kubernetes Service (EKS), or Azure Kubernetes Service (AKS), indicates the name of the Kubernetes cluster. Otherwise, this will be empty
categoryCategory of detection (incident, anomaly)
entityIdIdentity on which entity the finding was detected (unique to the entity type)
directionDirection of the incident. This is usually related to the direction of data flow in the related anomalous activities (read, write, undirected)
environmentAudited environment type (k8s, gke, aks, eks, aws, azure, gcp)
confidenceIncident confidence in detection (CONFIDENCE_LOW, CONFIDENCE_MEDIUM, CONFIDENCE_HIGH)
alertUuidUniquely identifies the detection
auditSummarySummary of recent activity by the entity.
  • time : Indicates the history period data in milliseconds
  • - activity: List of values mapped to activity attributes, such as services accessed or the caller IP addresses observed. This map can have many attributes and each attribute can have many values
X
reasonsThe reasons for why this is being recorded as an incident, e.g., a list of one or more anomalies. For each anomaly, the following data may be available:
  • doc: Description of the reason
  • period: Time period for which the reason was identified (in milliseconds)
  • context: Additional context details explaining why the anomaly was created, e.g., unusual values for a property in the activity, such as a list of unique regions that triggered the unusual change in count of unique regions anomaly
  • alertUid: ID for the reason
  • direction: Direction of traffic related to the reason
  • confidence: Overall confidence of the reason
X
mitreTacticMapping of the detection to MITRE framework tactic names and IDs✓ (Optional)X
mitreTechniqueMapping of the detection to MITRE framework technique names and IDs✓ (Optional)X
AWSResourceDetailsAWS-specific mapping of entity type and ID to the resource within the audited environment for additional context. This mapping is based on partial information about the entity identity extracted from the audit log and heuristics, and as such, cannot always map the entity to a unique (or any) resource.✓ (Optional)✓ (Optional)
callerDetailsThe caller IP, country, ASN, and reputation.✓ (Optional)✓ (Optional)
GKEProjectDomain-related enrichment. The source for a GKE login which related findings identify per analyzer✓ (Optional)✓ (Optional)
GCPProjectsDomain-related enrichment. Identify the project(s) from which the activity log(s) are monitored per analyzer✓ (Optional)✓ (Optional)
userIdentityAccountIdThe account(s) that own the entity/entities that granted permissions for the request(s)✓ (Optional)✓ (Optional)
recipientAccountIdThe account(s) that received event(s). This may be different from userIdentityAccountId✓ (Optional)✓ (Optional)
resourcesAccountIdAccount(s) of the accessed resource(s) owner(s)✓ (Optional)✓ (Optional)
instanceThe analyzer instance that reported the incident
shortDocShort description of the detection type
detectionTypeUnique ID of the specific detection type
Incident JSON Finding Example
json
1
{
2
"doc": "unusual access pattern",
3
"time": "1669021920000",
4
"period": 180000,
5
"cluster": "my-cluster",
6
"history": [
7
{
8
"time": "1669021560000",
9
"activity": {
10
"service": {
11
"value": [
12
"eks.amazonaws.com",
13
"guardduty.amazonaws.com",
14
"events.amazonaws.com",
15
"tagging.amazonaws.com",
16
"ec2.amazonaws.com",
17
"elasticloadbalancing.amazonaws.com",
18
"rds.amazonaws.com"
19
]
20
},
21
"caller-ip": {
22
"value": [
23
"123.123.123.123"
24
]
25
},
26
"eventType": {
27
"value": [
28
"AwsApiCall"
29
]
30
},
31
"api-version": {
32
"value": [
33
"2012-06-01",
34
"2015-10-07",
35
"2015-12-01"
36
]
37
},
38
"userIdentity-type": {
39
"value": [
40
"AssumedRole"
41
]
42
}
43
}
44
},
45
{
46
"time": "1669021740000",
47
"activity": {
48
"caller-ip-asn": {
49
"value": [
50
"my-caller-ip"
51
]
52
}
53
}
54
}
55
],
56
"reasons": [
57
{
58
"doc": "unusual change in count of unique regions",
59
"period": 180000,
60
"context": [
61
{
62
"id": "awsRegion",
63
"details": [
64
"eu-west-1",
65
"us-east-2",
66
"ap-northeast-2",
67
"eu-central-1",
68
"us-east-1",
69
"us-west-1"
70
]
71
}
72
],
73
"alertUid": "a4a8177f-a79d-4108-bcec-f84b2bbb6171",
74
"direction": "DIRECTION_READ",
75
"confidence": "CONFIDENCE_MEDIUM"
76
},
77
{
78
"doc": "unusual buckets",
79
"period": 180000,
80
"context": [
81
{
82
"id": "bucketName",
83
"details": [
84
"my-bucket-1",
85
"my-bucket-2",
86
"my-bucket-3",
87
]
88
}
89
],
90
"alertUid": "cad12d8b-4d17-4b4b-839d-90a6655911d9",
91
"direction": "DIRECTION_READ",
92
"confidence": "CONFIDENCE_MEDIUM"
93
},
94
{
95
"doc": "unusual services",
96
"period": 180000,
97
"context": [
98
{
99
"id": "service",
100
"details": [
101
"lookoutequipment.amazonaws.com",
102
"cloudhsm.amazonaws.com",
103
"amazonmq.amazonaws.com",
104
"monitoring.amazonaws.com",
105
"quicksight.amazonaws.com"
106
]
107
}
108
],
109
"alertUid": "01572d46-17f9-472f-a29c-c9a08d51d2f6",
110
"direction": "DIRECTION_READ",
111
"confidence": "CONFIDENCE_MEDIUM"
112
}
113
],
114
"category": "CATEGORY_INCIDENT",
115
"entityId": "developer/Rapid7",
116
"instance": "my-instance",
117
"shortDoc": "access pattern",
118
"alertUuid": "f1d1e791-3a0b-4502-bbaa-ef28612fca0b",
119
"direction": "DIRECTION_READ",
120
"confidence": "CONFIDENCE_MEDIUM",
121
"entityType": "AUDIT_ENTITY_PRINCIPAL",
122
"mitreTactic": [
123
"TA0001",
124
"TA0004",
125
"TA0003",
126
"TA0005",
127
"TA0007"
128
],
129
"detectionType": "access_pattern-short-principal",
130
"mitreTechnique": [
131
"T1046",
132
"T1578",
133
"T1526",
134
"T1069",
135
"T1580",
136
"T1078",
137
"T1535",
138
"T1484"
139
],
140
"mitreTacticName": [
141
"Persistence",
142
"Defense Evasion",
143
"Initial Access",
144
"Discovery",
145
"Privilege Escalation"
146
],
147
"entityResourceName": "developer",
148
"entityResourceRole": "developer",
149
"entityResourceType": "role",
150
"mitreTechniqueName": [
151
"Network Service Scanning",
152
"Domain Policy Modification",
153
"Cloud Infrastructure Discovery",
154
"Modify Cloud Compute Infrastructure",
155
"Unused/Unsupported Cloud Regions",
156
"Valid Accounts",
157
"Cloud Service Discovery",
158
"Permission Groups Discovery"
159
],
160
"recipientAccountId": [
161
"889956758113",
162
"256640039316",
163
"042293964381"
164
],
165
"entityResourceSession": "Rapid7"
166
}
167
Anomaly JSON Finding Example
json
1
{
2
"category":"anomaly",
3
"alert-uid":"c3ee3259-63f6-444a-8034-e6839217864d",
4
"instance":"tst-cluster",
5
"time":1653643620000,
6
"etype":"principal",
7
"eid":"test-test-role/test-test",
8
"short-doc":"actions",
9
"doc":"unusual change in count of unique actions in access attempts",
10
"detection-type":"audit_property_action-short-out-uniques-principal",
11
"period":180000,
12
"confidence":"medium",
13
"direction":"read",
14
"reasons":[
15
{
16
"doc":"change in count of unique actions in read access attempts",
17
"period":180000,
18
"direction":"read",
19
"values":{
20
"medium":[19,0]
21
}
22
}],
23
"context":{
24
"action":[
25
"GetBucketPolicy",
26
"DescribeAutoScalingGroups",
27
"GetPolicyVersion",
28
"DescribeFileSystems",
29
"ListSAMLProviders",
30
"DescribeConfigurationRecorders",
31
"ListTopics",
32
"DescribeVpnGateways",
33
"DescribeRepositories",
34
"ListTaskDefinitions",
35
"ListClusters",
36
"ListTables",
37
"DescribeAddresses",
38
"DescribeRouteTables",
39
"DescribeNatGateways",
40
"ListIdentities",
41
"ListAliases",
42
"DescribeVpcPeeringConnections",
43
"GetTopicAttributes",
44
"DescribeRegions"
45
]
46
}
47
}
48

Bots and Automation with Anomaly Findings

Leveraging Bots and Automation with Anomaly Findings is no different a process than with Threat Findings. Review the Threat Findings User Guide for more information.

Detection Type Reference

Each Cloud type offers different types of detections. The tables in the following sections outline the available detections and any relevant details.

AWS

NameEntity TypeMeaningSource AnomaliesMITRE Associations
External web scanAccountSome of the account's principals initiated API calls in unusual ways or targeted API services or actions that are unusual for the account. For example, some principals' credentials may have been compromised and used by an attacker to scan available resources or permissions.Unusual IP, Geolocation, or ASN from which the principals initiated their API calls, unusual software tool (e.g., browser, operating system, scripting language) used by the calling principals, bad reputation associated with the IPs from which principals initiated their API calls, and unusual services or actions targeted in the calls.
  • Techniques
    • Trusted Relationship (T1199)
    • Valid Accounts (T1078)
  • Tactics
    • Initial Access (TA0001)
    • Persistence (TA0003)
    • Privilege Escalation (TA0004)
    • Defense Evasion (TA0005)
Unusual Database activityPrincipalThe principal initiated unusual API calls that are related to database resources (usually administration actions). This detection may indicate that an attacker is trying to read or modify the content of a database.The principal accessed unusual resources like database engines, instances, tables, or queries.
  • Techniques
    • Cloud Infrastructure Discovery (T1580)
    • Cloud Service Discovery (T1526)
    • Data Destruction (T1485)
    • Data Encoding (T1132)
    • Data from Information Repositories (T1213)
    • Data Manipulation (T1565)
  • Tactics
    • Discovery (TA0007)
    • Collection (TA0009)
    • Impact (TA0040)
    • Command and Control (TA0011)
Unusual access patternPrincipal or accountThe principal initiated API calls that accessed unusual resources. This detection may indicate that an attacker is trying to read or modify those resources (or related resources, in case they accessed resources like S3 buckets or IAM policies).The principal accessed unusual regions, services, resource types, or resources (like S3 buckets and IAM policies).
  • Techniques
    • Network Service Scanning (T1046)
    • Domain Policy Modification (T1484)
    • Cloud Infrastructure Discovery (T1580)
    • Modify Cloud Compute Infrastructure (T1578)
    • Unused/Unsupported Cloud Regions (T1535)
    • Valid Accounts (T1078)
    • Cloud Service Discovery (T1526)
    • Permission Groups Discovery (T1069)
  • Tactics
    • Initial Access (TA0001)
    • Persistence (TA0003)
    • Privilege Escalation (TA0004)
    • Defense Evasion (TA0005)
    • Discovery (TA0007)
Unusual access to serviceServiceThe cloud service is accessed in unusual ways that may indicate it was abused. For example, the service may be accessed using compromised credentials or exploiting configured permissions that are not restrictive enough or the service is accessed as part of a malicious scan for accessible resources or available permissions.Unusual principals are accessing the service, unusual actions are requested from the service, and unauthorized access status returned by the Service.
  • Techniques
    • Network Service Scanning (T1046)
    • Cloud Infrastructure Discovery (T1580)
    • Account Discovery (T1087)
    • Automated Collection (T1119)
    • Modify Cloud Compute Infrastructure (T1578)
    • Data from Cloud Storage Object (T1530)
    • Valid Accounts (T1078)
    • Cloud Service Discovery (T1526)
    • Brute Force (T1110)
    • Permission Groups Discovery (T1069)
    • Data from Information Repositories (T1213)
    • Cloud Storage Object Discovery (T1619)
  • Tactics
    • Initial Access (TA0001)
    • Persistence (TA0003)
    • Privilege Escalation (TA0004)
    • Defense Evasion (TA0005)
    • Credential Access (TA0006)
    • Discovery (TA0007)
    • Collection (TA0009)
Unusual access typePrincipalThe principal initiated API calls that are unusual in their profiled routine activity. For example, an attacker may be using compromised credentials or exploiting configured permissions that are not restrictive enough or performing a malicious scan for accessible resources or available permissions.The principal accessed unusual services, performed unusual actions on services, or received unusual status responses for their actions.
  • Techniques
    • Network Service Scanning (T1046)
    • Cloud Infrastructure Discovery (T1580)
    • Account Discovery (T1087)
    • Automated Collection (T1119)
    • Modify Cloud Compute Infrastructure (T1578)
    • Data from Cloud Storage Object (T1530)
    • Valid Accounts (T1078)
    • Cloud Service Discovery (T1526)
    • Brute Force (T1110)
    • Permission Groups Discovery (T1069)
    • Data from Information Repositories (T1213)
    • Cloud Storage Object Discovery (T1619)
  • Tactics
    • Initial Access (TA0001)
    • Persistence (TA0003)
    • Privilege Escalation (TA0004)
    • Defense Evasion (TA0005)
    • Credential Access (TA0006)
    • Discovery (TA0007)
    • Collection (TA0009)
Unusual principal identity indicatorsPrincipalThe principal initiated API calls in unusual ways (regardless of what the called APIs were). For example, the principal's credentials may have been compromised and used by an attacker from a different computer.Unusual IP, Geolocation, or ASN from which the principal initiated their API calls, unusual software tool (e.g., browser, operating system, scripting language) used by the calling principal, or bad reputation is associated with the IP or tool from which the principal initiated the API calls.
  • Techniques
    • Trusted Relationship (T1199)
    • Valid Accounts (T1078)
  • Tactics
    • Initial Access (TA0001)
    • Persistence (TA0003)
    • Privilege Escalation (TA0004)
    • Defense Evasion (TA0005)

Kubernetes

NameEntity TypeMeaningSource AnomaliesMITRE Associations
External web scanClusterSome of the API calls to the cluster are initiated in unusual ways from external IPs (i.e., from outside the cluster). For example, some principals' credentials may have been compromised and used by an external attacker to scan available resources or permissions in the cluster.Unusual access URI; unusual sub-resource in an Exec command; unusual IP, Geolocation, or ASN from which the principals initiated their API calls; unusual software tool (e.g., browser, operating system, scripting language) used by the calling principals; bad reputation associated with the IPs from which principals initiated their API calls.
  • Techniques
    • Trusted Relationship (T1199)
    • Valid Accounts (T1078)
  • Tactics
    • Initial Access (TA0001)
    • Persistence (TA0003)
    • Privilege Escalation (TA0004)
    • Defense Evasion (TA0005)
Unusual access patternPrincipalThe principal initiated API calls that accessed unusual resources or Kubernetes APIs. This detection may indicate that an attacker is trying to read or modify those resources.The principal accessed unusual Kubernetes API groups, resource types, or resource namespaces.
  • Techniques
    • Network Service Scanning (T1046)
    • Domain Policy Modification (T1484)
    • Cloud Infrastructure Discovery (T1580)
    • Modify Cloud Compute Infrastructure (T1578)
    • Unused/Unsupported Cloud Regions (T1535)
    • Valid Accounts (T1078)
    • Cloud Service Discovery (T1526)
    • Permission Groups Discovery (T1069)
  • Tactics
    • Initial Access (TA0001)
    • Persistence (TA0003)
    • Privilege Escalation (TA0004)
    • Defense Evasion (TA0005)
    • Discovery (TA0007)
Unusual access to resourceResourceThe Kubernetes resource is accessed in unusual ways that may indicate it was abused. For example, the resource may be accessed using compromised credentials or exploiting configured permissions that are not restrictive enough or the service is accessed as part of a malicious scan for accessible resources or available permissions.Unusual principals are accessing the service, unusual API versions are requested from the resource, unusual sub-resource operations (Exec, Attach, Proxy, PortForward, Log, EphemeralContainers) to the resource, and unauthorized acces status is returned for the access.
  • Techniques
    • Network Service Scanning (T1046)
    • Cloud Infrastructure Discovery (T1580)
    • Account Discovery (T1087)
    • Automated Collection (T1119)
    • Modify Cloud Compute Infrastructure (T1578)
    • Data from Cloud Storage Object (T1530)
    • Valid Accounts (T1078)
    • Cloud Service Discovery (T1526)
    • Brute Force (T1110)
    • Permission Groups Discovery (T1069)
    • Data from Information Repositories (T1213)
    • Cloud Storage Object Discovery (T1619)
  • Tactics
    • Initial Access (TA0001)
    • Persistence (TA0003)
    • Privilege Escalation (TA0004)
    • Defense Evasion (TA0005)
    • Credential Access (TA0006)
    • Discovery (TA0007)
    • Collection (TA0009)
Unusual access typePrincipalThe principal initiated API calls that are unusual in their profiled routine activity. For example, an attacker may be using compromised credentials or exploiting configured permissions that are not restrictive enough or performing a malicious scan for accessible resources or available permissions.The principal accessed unusual URIs, or performed unusual actions (either Verbs or sub-resources like Exec, Attach, Proxy, PortForward, Log, EphemeralContainers) on resources, or received unusual status responses for their actions.
  • Techniques
    • Network Service Scanning (T1046)
    • Cloud Infrastructure Discovery (T1580)
    • Account Discovery (T1087)
    • Automated Collection (T1119)
    • Modify Cloud Compute Infrastructure (T1578)
    • Data from Cloud Storage Object (T1530)
    • Valid Accounts (T1078)
    • Cloud Service Discovery (T1526)
    • Brute Force (T1110)
    • Permission Groups Discovery (T1069)
    • Data from Information Repositories (T1213)
    • Cloud Storage Object Discovery (T1619)
  • Tactics
    • Initial Access (TA0001)
    • Persistence (TA0003)
    • Privilege Escalation (TA0004)
    • Defense Evasion (TA0005)
    • Credential Access (TA0006)
    • Discovery (TA0007)
    • Collection (TA0009)
Unusual principal identity indicatorsPrincipalThe principal initiated API calls in unusual ways (regardless of what the called APIs were). For example, the principal's credentials may have been compromised and used by an attacker from a different computer.Unusual IP, Geolocation, or ASN from which the principal initiated their API calls, unusual software tool (e.g., browser, operating system, scripting language) used by the calling principal, or bad reputation is associated with the IP or tool from which the principal initiated the API calls.
  • Techniques
    • Trusted Relationship (T1199)
    • Valid Accounts (T1078)
  • Tactics
    • Initial Access (TA0001)
    • Persistence (TA0003)
    • Privilege Escalation (TA0004)
    • Defense Evasion (TA0005)