Alert that fires if the Google indexing bot has been mistakenly blocked by the WAF. IMPACT: Serious negative impact to SEO if the WAF blocks google bot.

Triggers if a request from a user agent matching a known bot is detected. Connected to Security team's bot database to automatically inform them of bot activity.

This Flow alert triggers when traffic from known suspected sources is followed by an increase in errors and performance impacts, measured in latency increases outside of the accepted norm.

Alert triggers when more suspected traffic is being received than normal.

Latency for HTTP requests are increasing over acceptable thresholds.

'Summary This alert is activated when AWS WAF logs identify a terminating rule associated with cross-site scripting (XSS) attacks. Cross-Site Scripting (XSS) is a prevalent security threat where attackers inject malicious scripts into web pages viewed by other users. These attacks exploit vulnerabilities in web applications that fail to adequately sanitize user-supplied input. XSS can lead to a variety of harmful outcomes, including stealing cookies, session tokens, or other sensitive information from users, and manipulating or defacing the content of a web page. Impact Potential impact of suspected XSS attack include: - Unauthorized Script Execution: Cross-Site Scripting (XSS) allows attackers to inject malicious scripts into web pages. These scripts are then executed by the browsers of unsuspecting users who visit the compromised web page. Since the browser interprets these scripts as originating from a trusted source, it executes them without suspicion - Data Theft: The executed script can access any cookies, session tokens, and other sensitive information that the browser stores for that site. This allows attackers to steal identities, hijack sessions, or commit fraud by impersonating the user - Security and Privacy Breaches: Beyond stealing data, these scripts can also perform actions on behalf of the user, potentially leading to unauthorized transactions, data alterations, or privacy breaches. The impact extends to defacing the website, spreading malware, or propagating the attack to other users Mitigation Mitigation steps for suspected XSS attacks include: - Request Validation: Conduct thorough inspections of all requests intercepted by AWS WAF to identify potential XSS patterns. This includes looking for malicious scripts or anomalies in inputs that resemble script tags, JavaScript events, or other script-related content. - Detailed Investigation: For any requests flagged as suspicious, perform a comprehensive analysis. This should include examining the source IPs, the specific URLs requested, and the nature of any scripts or commands included in the requests. Investigate the context of the requests to better understand the attack vector. - Enhance XSS Defenses: Update and refine WAF rules specifically designed to detect and block XSS attacks. Regularly review these rules in response to emerging XSS techniques and vulnerabilities. - Content Security Policies: Implement stringent Content Security Policies (CSP) that restrict the sources from which scripts can be loaded. This reduces the risk of XSS attacks by only allowing scripts from trusted sources. - Input Sanitization: Ensure that all user inputs are properly sanitized before being processed by your applications. This should include encoding or escaping inputs where appropriate to prevent malicious data from being rendered as executable code. MITRE Tactic: TA0001 MITRE Technique: T1190'

This alert triggers when a successful HTTP GET request targets a URL that ends with a set of specific file extensions that can contain information that shouldn't be disclosed directly to the internet. The following file extensions are detected by this alert: Configuration Files: .env, .config, .ini, .conf Backup Files: .bak, .old, .zip Log Files: .log, .txt, .log.txt Source Code Files: .java, .py, .rb Database Dump Files: .sql, .dump Backup Scripts: .sh, .bat, .ps1 Private Keys and Certificates: .pem, .key, .p12, .crt Please Note: This alert may require tuning based on the web application usage (ie if it serves any of the above-mentioned file extensions). File extensions can be added/removed and match conditions can be tuned to a lower/higher rate of occurrence to match the operation of the web application. Impact Information disclosure attacks can have severe consequences for organizations which can result in a data and privacy breach. Mitigation Validate the requests intercepted by the WAF. If these seem suspicious, investigate further by examining the source IPs, requested URLs, etc. MITRE Tactic: TA0001 MITRE Technique: T1190

This alert triggers when a possible brute force attack is performed against a login page. Brute force attacks on login pages involve systematically attempting multiple combinations of usernames and passwords until a successful login is achieved. This technique relies on the assumption that weak or commonly used credentials can be guessed through exhaustive trial and error. Impact The impact varies depending on the success of the attack and the targeted system's sensitivity, such as; Account compromise, Privilege escalation, Data breach, Resource exhaustion, and Weakened security posture. Mitigation Validate the requests intercepted by the WAF. If these seem suspicious, investigate further by examining the source IPs, requested URLs, etc. MITRE Tactic: TA0006 MITRE Technique: T1110

'Summary This alert is activated when an AWS WAF log entry identifies a rule termination associated with Remote File Inclusion (RFI) attacks. RFI attacks exploit vulnerabilities in web applications by manipulating input parameters or file inclusion mechanisms. This allows attackers to include and execute malicious files hosted on external servers. The goal is to trick the web application into processing these remote files, potentially leading to unauthorized access or harmful actions. Impact Potential impact of RFI attacks include: - Arbitrary Code Execution: Attackers may execute arbitrary code on the server, which can lead to complete system compromise - Unauthorized Data Access: By exploiting RFI vulnerabilities, attackers can gain unauthorized access to sensitive data, exposing both user and organizational information to risk - System Compromise: The integrity and security of the entire system may be compromised, allowing attackers to manipulate or control system functionalities - Operational Disruption: RFI attacks can disrupt the normal functioning of the targeted application, leading to service outages or degraded performance - Data Breaches: Successful RFI attacks can result in data breaches, potentially exposing confidential data and violating compliance regulations - Reputational Damage: Incidents resulting from RFI attacks can damage the organization''s reputation, resulting in loss of customer trust and potential financial liabilities Mitigation Mitigation steps for RFI attacks include: - Request Validation: Carefully examine all requests flagged by AWS WAF for signs of RFI attack patterns. Focus on validating the legitimacy and integrity of each request to ensure they are not carrying malicious payloads - In-Depth Analysis: If a request appears suspicious, conduct a detailed investigation into its origins. Analyze the source IP addresses, requested URLs, and any other relevant metadata to trace the source and intent of the attack - Behavior Monitoring: Monitor for unusual request patterns or spikes in traffic from particular IPs or to specific URLs, which could indicate an ongoing or attempted RFI attack - Enhanced Filtering: Adjust WAF rules to strengthen filtering criteria based on the insights gained from the investigation, aiming to block similar future attempts more effectively - Security Patches and Updates: Ensure that all web applications are up-to-date with the latest security patches, particularly those that close vulnerabilities exploitable by RFI attacks MITRE Tactic: TA0001 MITRE Technique: T1190'

'Summary This alert is activated when AWS WAF logs indicate a termination rule associated with SQL Injection attacks. SQL Injection is a critical security threat where an attacker attempts to interfere with the queries that an application makes to its database. Typically, it involves inserting or "injecting" malicious SQL statements into an entry field for execution, which can lead to unauthorized access, data theft, and manipulation of the database. This alert aims to detect and respond to such attempts to protect the application from potential breaches. Impact Potential impact of a suspected SQL Injection attempt include: - Identity Spoofing: SQL injection can allow attackers to impersonate legitimate users, gaining unauthorized access to sensitive information - Data Tampering: Attackers can alter or delete data, affecting integrity. This includes unauthorized changes to balances, voiding transactions, or modifying critical business data - Disclosure of Information: SQL injection may lead to complete exposure of all data stored in the database, including confidential and proprietary information - Denial of Service: By corrupting data or overwhelming the database with requests, attackers can render data unavailable, effectively causing a denial of service - Elevated Privileges: Attackers can potentially escalate their privileges within the system to that of a database administrator, gaining control over database management and operations Mitigation Mitigation steps for suspected SQL Injection attempt include: - Request Validation: Thoroughly examine all requests intercepted by AWS WAF for signs of SQL injection, such as unusual patterns or SQL syntax within user input fields - Detailed Investigation: For requests flagged as suspicious, conduct a deeper analysis. Investigate source IP addresses, requested URLs, and the specific query parameters involved. Identify any commonalities or trends that could indicate systematic attempts at SQL injection - Enhance Detection Rules: Continuously update and refine AWS WAF rules to detect and block SQL injection attempts more effectively. Use threat intelligence and known attack signatures to enhance rule accuracy - Use Parameterized Queries: Ensure that all database queries from your applications use parameterized queries or prepared statements, which are less vulnerable to SQL injection - Implement Least Privilege: Restrict database permissions to the minimum necessary for each application function. This limits the potential impact of a successful SQL injection attack - Regular Audits and Monitoring: Conduct regular security audits of your database and application environments. Monitor logs for unusual database queries or unauthorized access patterns, which can serve as early indicators of an attack MITRE Tactic: TA0001 MITRE Technique: T1190'

'Summary This alert is initiated when AWS WAF logs indicate that a rule associated with Local File Inclusion (LFI) has been triggered. LFI attacks exploit vulnerabilities in web applications that fail to properly validate or sanitize user input. This vulnerability allows attackers to manipulate file paths to include and execute files that are locally stored on the server. Such actions can lead to unauthorized access to sensitive files, execution of malicious scripts, or other compromising activities on the server. Impact Potential impact of LFI attacks include: - Unauthorized Disclosure: LFI attacks can result in the unauthorized disclosure of sensitive information stored on the server. This can include confidential data such as personal details, credentials, and internal configurations - Remote Code Execution: By exploiting LFI vulnerabilities, attackers may execute arbitrary code on the server. This can lead to further malicious activities, including additional exploits and malware deployment - Server Integrity Compromise: LFI attacks threaten the overall integrity of the server. Manipulation of local files can alter server behavior, disable services, or corrupt data and applications, potentially leading to prolonged downtime and operational disruption Mitigation Mitigation steps for LFI attacks include: - Request Validation: Closely inspect all requests flagged by AWS WAF for indications of LFI attack patterns. Scrutinize requests to identify any unusual or unauthorized attempts to access local files - Detailed Investigation: If a request raises suspicion, conduct an in-depth analysis. Examine source IP addresses, requested URLs, and any associated query parameters. Look for patterns or anomalies that could indicate manipulative behavior typical of LFI attacks - Enhanced Monitoring: Implement continuous monitoring for signs of manipulation or unusual access patterns. This should include real-time alerts for any access requests to sensitive or system-critical files - Rule Optimization: Regularly update and refine AWS WAF rules based on the latest threat intelligence and observed attack vectors. Ensure that rules are designed to detect and mitigate common and emerging LFI techniques - Security Best Practices: Enforce strict input validation, sanitization, and whitelisting of allowed files and directories to prevent unauthorized file inclusion. Ensure all software components are up-to-date with patches, particularly those that mitigate known vulnerabilities MITRE Tactic: TA0001 MITRE Technique: T1190'

This alert triggers when the terminating rule mentioned in the logs is related to command injection or code injection attacks. Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data. Command injection is an attack in which the goal is the execution of arbitrary commands on the host operating system via a vulnerable application. Impact In Command Injection, the attacker extends the default functionality of the application, which executes system commands, without the necessity of injecting code. In a Code Injection attack, attackers can introduce (or inject) code into a computer program with this type of vulnerability. Mitigation Validate the requests intercepted by the WAF. If these seem suspicious, investigate further by examining the source IPs, requested URLs, etc. MITRE Tactic: TA0001 MITRE Technique: T1190

'Summary This alert is activated when AWS WAF logs identify a termination rule that is associated with remote code execution (RCE) attacks. Remote Code Execution attacks involve an attacker exploiting vulnerabilities within a web application to run malicious code on the server. This type of attack can compromise the server''s integrity, allowing the attacker to gain unauthorized access or control over the server. The alert aims to detect and mitigate such attempts to safeguard the application and its data. Impact Potential impact of suspected Remote Code Execution attempt include: Network Access through RCE: Exploitation of Remote Code Execution (RCE) vulnerabilities in web applications can provide threat actors with initial access to the network. Once inside, attackers can leverage this foothold to execute arbitrary commands, control system resources, install malware, or manipulate data, posing a critical security risk to the entire network infrastructure. Mitigation Mitigation steps for suspected Remote Code Execution attempt include: - Request Validation: Meticulously inspect all requests flagged by AWS WAF that could potentially be involved in a Remote Code Execution attempt. Pay particular attention to any payloads or parameters that contain executable code or scripts - Detailed Investigation: For any requests that raise suspicion, conduct a thorough investigation by examining the source IP addresses, requested URLs, and other relevant request details. Look for patterns that match known RCE techniques or anomalies that deviate from normal user behavior - Enhance Monitoring and Detection: Enhance your detection capabilities to better identify and respond to RCE attempts. Regularly update detection rules based on the latest threat intelligence and indicators of compromise associated with emerging RCE vulnerabilities - Security Hardening: Apply strict input validation and sanitization practices to reduce the risk of malicious code execution. Ensure that all software components, including web servers and applications, are up-to-date with the latest security patches - Incident Response Plan: Ensure that a robust incident response plan is in place that includes specific procedures for responding to RCE attacks. This plan should facilitate quick isolation of affected systems, preservation of evidence, and rapid remediation of vulnerabilities MITRE Tactic: TA0001 MITRE Technique: T1190'

This alert is triggered by a high volume of bot requests detected by AWS WAF. Bots are automated programs designed to perform tasks on networks by mimicking or replacing human behavior. While some bots, like search engine crawlers (e.g., Googlebot or Bingbot) and social media bots (e.g., Facebook Bot), are beneficial and enhance business operations, others pose significant threats. Malicious bots, such as those used for credential stuffing, web scraping, or spamming, can disrupt services, steal data, and degrade the user experience. This alert aims to identify and manage both beneficial and harmful bot traffic to protect and optimize web application performance. Impact Potential Impact of Excessive Bot Traffic: - Disruption of Operations: High volumes of bot requests can overwhelm web servers, potentially leading to slowed response times or even service outages. This disruption affects the normal operations of a business, impacting user experience and potentially resulting in lost revenue. - Data Theft: Malicious bots can be employed to extract confidential information from web applications. These bots may carry out sophisticated scraping operations to steal sensitive data, intellectual property, or competitive business information, posing a significant security threat. Mitigation Mitigation steps for excessive Bot Traffic include: - Identify the Bots Nature: Begin by categorizing the detected bot traffic. Use AWS WAF capabilities to differentiate between recognized 'good' bots (like search engine crawlers) and potentially malicious 'bad' bots. This identification is crucial for effective response strategies. - Further Investigation for Suspicious Bots: For bots not categorized as 'good,' initiate a detailed investigation. Analyze their behaviors, such as request patterns, frequency, and the type of data they access. Determine the potential threat and the botu2019s purpose. - Implement Bot Management Solutions: Employ advanced bot management solutions that include rate limiting, CAPTCHA challenges, and behavior analysis to effectively manage and mitigate unwanted bot traffic. - Enhance WAF Configurations: Adjust AWS WAF rules to more effectively detect and block suspicious bot activities. This might include updating rate limits or enhancing pattern recognition algorithms to better identify and differentiate between bot types. - Continuous Monitoring and Analysis: Maintain ongoing monitoring of traffic patterns to quickly detect and respond to new or evolving bot threats. Regularly review and refine control measures based on the latest bot activity and threat intelligence. MITRE Tactic: TA0042 MITRE Technique: T1583"

This alert triggers when the terminating rule mentioned in the logs is about common vulnerability exploits. Impact Threat actors can gain initial access to a network by exploiting common vulnerabilities present in a web application. Mitigation Investigate further based on the mentioned CVE in the logs. MITRE Tactic: TA0001 MITRE Technique: T1190

This alert triggers if there are no logs in the last 4 hours for AWS WAF in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

A new bot has been incorrectly blocked. A bot is defined as an IP address appearing in bot scores. "Incorrect" is defined as a bot score of 0.

'Summary This building block alert triggers when multiple requests from a specific IP during a specific time interval are blocked by AWS WAF. This alert is part of the flow alert: AWS WAF - Flow Alert - Multiple Blocked Requests Followed by Allowed Request (By Source IP) Note: pls fine tune the alert in terms of thresholds per your specific business requirements Impact Repeated blocked requests originating from the same IP address may suggest potential malicious activities by the source. Mitigation Validate the requests intercepted by the WAF. If these seem suspicious, investigate further by examining the source IP(s), requested URLs, etc. If the activity is legitimate and belongs to the organization, please whitelist related IP(s). MITRE Tactic: TA0001 MITRE Technique: T1190'

'Summary This alert is activated when an AWS WAF log entry points to a termination rule targeting activities associated with common vulnerability exploits. The alert identifies attempts to exploit known vulnerabilities within the network infrastructure, which may include SQL injections, cross-site scripting (XSS), or other well-documented security threats. The focus is on intercepting and addressing these exploit attempts to prevent potential security breaches Impact Exploitation of common vulnerabilities in web applications provides a gateway for threat actors to gain initial access to the network. This access can lead to further unauthorized activities, including data theft, system manipulation, or deeper network penetration, posing significant security risks to the organization. Mitigation Detailed CVE Investigation: Upon triggering of this alert, immediately investigate the specific Common Vulnerabilities and Exposures (CVE) referenced in the AWS WAF logs. Conduct a thorough analysis to understand the nature of the vulnerability, the affected systems, and the potential methods of exploitation. - Assess Vulnerability Impact: Evaluate the potential impact of the CVE on your environment. Determine which systems are vulnerable and the severity of the threat. - Patch Management: Prioritize and apply security patches or updates to the affected systems as recommended by the CVE advisories. Ensure that all software and systems are up-to-date with the latest security patches to mitigate the risk. - Enhance Monitoring and Controls: Increase surveillance and control measures around the affected systems. Adjust AWS WAF rules to detect and block exploit attempts more effectively. MITRE Tactic: TA0001 MITRE Technique: T1190'

This alert activates when AWS WAF logs indicate termination due to a rule associated with either command or code injection attacks. Code injection encompasses a variety of attack types where attackers inject malicious code into a web application, which is then executed by the application. This type of attack typically exploits the applications improper handling or sanitization of untrusted data. Command injection, a subset of code injection, specifically aims to execute arbitrary commands on the host system through a vulnerable application. Both forms of injection pose serious security threats, potentially allowing attackers to manipulate or gain control of affected systems. Impact Potential Impact of suspected code injection attempt: - Command Injection Impact: In command injection attacks, attackers exploit an application's existing functionalities to execute unauthorized system commands. This type of attack bypasses the need to inject new code, leveraging the applicationu2019s ability to access system commands directly. Such attacks can alter or disrupt system operations, steal data, or provide attackers with unauthorized access to underlying systems. - Code Injection Impact: Code injection allows attackers to introduce their own malicious code into a program. This code is then executed by the vulnerable application, potentially leading to data theft, system compromise, and the spread of malware. The introduced code can also create backdoors, allowing sustained access to the affected systems. Mitigation Mitigation steps for suspected code injection attempts include: - Request Validation: Rigorously inspect all requests flagged by AWS WAF that may involve code or command injection. Scrutinize the requests for unusual patterns or signatures that match known injection tactics. - In-depth Investigation: If a request appears suspicious, conduct a detailed analysis. Examine the source IP addresses, requested URLs, and any payload data associated with the request. Look for anomalies or patterns indicative of malicious intent, such as unusual commands or code snippets embedded within parameters. - Enhanced Monitoring: Increase monitoring capabilities to detect and alert on similar attempts more swiftly. Adjust WAF configurations to strengthen detection and prevention of both code and command injection attacks. - Security Best Practices: Ensure that all user inputs are properly sanitized and validated on both client-side and server-side applications to prevent executable code from being injected. Employ the principle of least privilege to limit what commands can be executed by any application. - Update and Patch: Regularly update and patch all systems to close vulnerabilities that could be exploited via code injection. Include application frameworks and dependencies in this regular maintenance. MITRE Tactic: TA0001 MITRE Technique: T1190"

This alert is configured to trigger upon detecting multiple failed login attempts from a single IP address or user account within a specified timeframe. This security measure is designed to identify potential brute force attacks or credential stuffing attempts, where attackers try numerous username and password combinations to gain unauthorized access to user accounts. Impact Multiple failed login attempts from a single source can suggest several security risks, including: - Brute Force Attacks: Persistent attempts to guess passwords can eventually breach an account, leading to unauthorized access. - Credential Stuffing: Using stolen account credentials from one breach to gain access to other services can result in multiple account compromises. - Account Lockout: Repeated failed login attempts can trigger security protocols that lock the user out of their account, disrupting legitimate access. - System Load: High volumes of failed login attempts can consume system resources, potentially degrading service for legitimate users. - Reputational and Financial Damage: Successful breaches from these attacks can lead to data theft, financial loss, and damage to the organizationu2019s reputation. Mitigation Effective mitigation strategies for multiple failed login attempts include: - Account Lockout Policies: Implement account lockout mechanisms after a certain number of failed login attempts to prevent continued attempts. - Rate Limiting: Set up rate limiting to slow down the attack, making it less feasible for attackers to perform brute force or credential stuffing attacks. - Multi-Factor Authentication (MFA): Require MFA to add an additional layer of security that requires more than just the useru2019s password for access. - Monitoring and Alerts: Enhance monitoring of login patterns and set up alerts for unusual activities, such as spikes in failed logins, to quickly detect and respond to potential attacks. - User Education: Educate users about the importance of strong, unique passwords and the dangers of reusing passwords across multiple sites. - Regular Security Audits: Conduct regular security audits and reviews to assess and improve the effectiveness of existing security measures. MITRE Tactic: TA0001 MITRE Technique: T1110

This alert is triggered when an AWS WAF log entry indicates that a rule from the Fraud Control Account Takeover Prevention (ATP) managed rule group has terminated a request. The ATP managed rule group specifically targets and manages requests that show patterns potentially linked to malicious account takeover attempts. Account takeover refers to unauthorized access to a users account by an attacker, who may then engage in fraudulent activities such as financial theft, data breaches, or unauthorized transactions. Impact When an attacker gains unauthorized access to an account, the consequences can be severe and multi-faceted. Potential impact includes: - Financial Loss: Attackers may steal funds directly from the victimu2019s accounts or engage in unauthorized transactions that result in financial loss to the victim. - Identity Theft: The attacker may impersonate the victim to access and manipulate other accounts owned by the victim, further increasing the risk of financial and reputational damage. - Data Breach: Sensitive personal or organizational information may be accessed and exploited, leading to privacy violations and potential compliance issues. - Extended Fraud: By using the compromised account as a foothold, the attacker could potentially gain access to the accounts of others, including individuals and organizations connected to the initial victim, spreading the impact of the attack. Mitigation Upon triggering of this alert, follow these steps to mitigate potential risks and further assess the situation: - Request Validation: Thoroughly review and validate all requests intercepted by AWS WAF to ascertain if they exhibit suspicious patterns or anomalies. - Detailed Analysis: Investigate further by analyzing source IP addresses, requested URLs, and other relevant request metadata. Look for unusual activity or inconsistencies in the data. - Rule Correlation: Check if other AWS WAF rules were triggered around the same time to identify broader attack patterns or coordinated attack attempts. - Log Correlation: Enhance visibility and context by correlating AWS WAF logs with logs from other AWS services such as Amazon CloudFront. This can help in understanding the scope and method of the attack. - Immediate Containment: Implement containment measures such as blocking suspicious IP addresses or temporarily restricting access to vulnerable application features if an attack is confirmed. MITRE Tactic: TA0001 MITRE Technique: T1190"

This alert is triggered when the egress data size surpasses 100MB for any single request and this is not served from the CloudFront cache. This scenario typically indicates an unusual or potentially unauthorized data transmission, which may suggest an attempted data breach or an unexpected application behaviour. Monitoring and controlling large data egress can prevent data loss and identify potential security threats. Impact The potential impacts of not monitoring large data egress include: - Data Loss: Significant amounts of data may be extracted without authorization, leading to loss of sensitive or proprietary information. - Security Breach: Large data egress could be a sign of a compromised system where data is being exfiltrated by attackers. - Compliance Violations: Unmonitored data transfer can result in violations of data privacy regulations and standards, leading to legal and financial repercussions. - Network Congestion: Large data transfers can consume substantial bandwidth, impacting network performance and the availability of applications. - Reputational Damage: Incidents of data leakage can harm an organizationu2019s reputation, affecting customer trust and business operations. Mitigation Mitigation strategies for excessive data egress include: - Threshold Tuning: Adjust the threshold values for data egress alerts based on the expected traffic and response sizes to optimize the balance between sensitivity and specificity of the alerts. - Traffic Analysis: Analyze traffic patterns regularly to identify and authenticate legitimate data transfer while detecting and investigating anomalies. - Security Policies: Implement strict security policies and controls on data access and transfer, ensuring only authorized transactions are allowed. - Encryption and Masking: Use encryption and data masking techniques to secure data in transit and at rest, reducing the impact of potential data breaches. MITRE Tactic: TA0040 MITRE Technique: T1530

'This building block alert triggers whenever AWS WAF allows traffic. It is part of the following Flow Alert: AWS WAF - Multiple Blocked Requests Followed by Allowed Request (By Source IP) Impact The implications of this alert when AWS WAF allows traffic after multiple blocks can be significant, including: - Potential Security Threats: Traffic that is initially blocked due to suspicious activity but later allowed could pose a security risk if not adequately vetted. - False Positives: The alert might signal false positives where legitimate user traffic is initially blocked but later allowed, possibly indicating overly strict security rules. - Resource Utilization: Monitoring and processing these alerts can consume significant system resources, especially if the alert is frequently triggered. - Operational Overhead: Frequent alerts can lead to operational overhead, requiring security teams to spend time investigating these incidents. - Adjustment of Security Postures: Identifying patterns in these alerts can help refine WAF configurations and security postures, enhancing overall protection while reducing unnecessary blocks. Mitigation To effectively manage and mitigate the risks associated with this alert, consider the following strategies: - Threshold and Parameter Tuning: Refine the alert''s parameters, such as threshold values and source IP ranges, to reduce noise and focus on genuinely suspicious activities. - Detailed Analysis: Conduct a thorough analysis of incidents where traffic is allowed following multiple blocks to determine if adjustments to WAF rules are needed. - Rule Optimization: Continuously update and optimize WAF rules based on the analysis of allowed traffic post-blocks to balance security and accessibility. MITRE Tactic: TA0040 MITRE Technique: T1078'

'Summary This alert is triggered when the terminating rule in the logs identifies an IP address with a suspicious reputation. Impact Traffic from suspicious IP addresses poses significant risks, potentially leading to DDoS attacks, data breaches, brute force attempts, malware distribution, spamming, and resource depletion, all of which compromise both security and performance of organizational assets. Mitigation Review and validate all requests intercepted by the AWS WAF. If the requests appear suspicious, conduct a detailed investigation by analyzing the source IP addresses, requested URLs, and other relevant traffic patterns. Take appropriate action based on the findings. MITRE Tactic: TA0001 MITRE Technique: T1190'

'Summary This alert is designed to trigger whenever data transfers occur in fragmented segments. Specifically, it activates when multiple requests from a single IP address transfer data in small chunks during a defined time interval. The configured threshold for this alert is set at data segments of 5MB or more, with more than 10 occurrences within a 10-minute period. These parameters can be adjusted to align with specific business requirements and risk profiles. Impact The fragmentation of data transfers in small segments from a single source can indicate potential data exfiltration activities. The impacts of such events can include: - Data Exfiltration: Small, fragmented data transfers can be a tactic used by malicious actors to avoid detection while slowly siphoning sensitive information. - System Compromise: This pattern of data transfer may also indicate that the system''s security has been compromised, allowing the attacker to execute unauthorized data movements. - Operational Disruption: Repeated small data requests can overload systems, potentially leading to slower response times and degraded service for legitimate users. - Compliance Risks: Unauthorized data transfers, especially of sensitive or regulated data, can lead to compliance issues with data protection regulations, which might incur penalties or legal action. - Reputation Damage: Security breaches involving data exfiltration can negatively impact an organization''s reputation, leading to a loss of customer trust and potential business. Mitigation Strategies to mitigate the risks associated with fragmented data transfers include: - Anomaly Detection: Enhance monitoring systems to detect anomalies in data transfer patterns, focusing on the size and frequency of transfers. - Security Posture Adjustment: Review and adjust security policies and controls to better detect and respond to fragmented data transfers, potentially tightening restrictions on data movement. - Forensic Analysis: Conduct forensic investigations to trace the origin and intent of fragmented transfers, identifying potential breaches or misuse of system resources. - Threshold Reevaluation: Regularly review and modify the threshold settings for alerts based on evolving business needs and emerging threat patterns. - User and Entity Behavior Analytics (UEBA): Implement UEBA solutions to identify unusual behavior patterns associated with specific users or IP addresses, enhancing overall security monitoring and response capabilities. MITRE Tactic: TA0010 MITRE Technique: T1078'

'Summary This alert is specifically designed to activate upon detecting login attempts from a new geographical location. The system flags any login attempt made from an IP address that has not previously been associated with the user''s account. This security measure is vital for identifying potentially unauthorized access attempts, which may indicate account takeovers or other malicious activities. Impact Login attempts from new geographical locations can have several significant impacts, including: - Unauthorized Access: New login locations can be a strong indicator of compromised account credentials being used by unauthorized individuals - Account Takeover: If attackers gain access, they can exploit the account for malicious purposes, such as stealing sensitive data, launching further attacks, or committing fraud - Data Breach: Unauthorized access to user accounts can lead to unauthorized disclosure, alteration, or destruction of sensitive information - Operational Disruption: Malicious activities resulting from compromised accounts can disrupt business operations and services - Legal and Compliance Issues: Failure to detect and respond to unauthorized access attempts may lead to violations of privacy laws and regulations, resulting in fines and legal challenges - Reputational Damage: Security breaches, especially those leading to data loss or service disruption, can negatively affect the organization''s reputation and erode customer trust Mitigation To mitigate the risks associated with login attempts from new geographical locations, consider implementing the following strategies: - Geolocation Analysis: Utilize geolocation tools to analyze and flag login attempts from locations that are unusual for the user, enhancing detection capabilities - Multi-Factor Authentication (MFA): Implement MFA to provide an additional layer of security for verifying the identity of users, especially when a login attempt is made from a new or suspicious location - User Education: Educate users about the importance of security practices, such as using strong, unique passwords and recognizing phishing attempts - Behavioral Profiling: Develop profiles of normal user behaviour and use them to refine these detections and detect deviations that may indicate unauthorized access - Regular Audits and Reviews: Conduct regular security audits and reviews to ensure that security measures are effective and adapt to new threats MITRE Tactic: TA0001 MITRE Technique: T1078'

'This alarm is configured to activate when an IP address is detected with a high bad actor score, indicative of malicious intent or previous involvement in security incidents. Upon detection, the alarm triggers an automated response that interfaces with an API gateway. This integration facilitates the immediate update of AWS WAF rules to block the identified IP address, effectively preventing further potentially harmful interactions with system resources. Impact Potential security impact you address via this alert and related actions: - Unauthorized Access Prevention: By detecting and blocking IPs with high bad actor scores, the system prevents unauthorized access attempts, protecting sensitive data and resources - Mitigation of Malicious Activities: Blocking high-risk IPs reduces the likelihood of malicious activities such as data exfiltration, injection attacks, and account takeovers - Protection Against Distributed Denial-of-Service (DDoS) Attacks: Identifying and blocking IPs involved in coordinated attacks helps to mitigate the risk of DDoS attacks, ensuring service availability - Reduced Exposure to Automated Threats: Automated bots and scripts often use multiple IPs to launch attacks. By blocking high bad actor score IPs, the system reduces exposure to these automated threats - Decreased Security Incident Frequency: Proactively blocking high-risk IPs decreases the frequency and severity of security incidents, leading to a more secure and stable environment - Compliance with Security Policies: Ensuring that high-risk IPs are blocked helps maintain compliance with organizational and regulatory security policies, reducing legal and compliance risks - Resource Protection: Prevents malicious entities from consuming bandwidth, computing power, and other resources, preserving them for legitimate users and operations Mitigation Potential mitigation measures include: - Automated IP Blocking: (i) Upon detection of a high bad actor score, automatically update AWS WAF rules to block the identified IP address. (ii) Integrate with API Gateway to ensure real-time updates and enforcement of WAF rules - Enhanced Monitoring and Logging: (i) Enable detailed logging for all requests from flagged IP addresses to gather additional context and support further investigation, (ii) Use AWS CloudWatch and AWS CloudTrail to monitor and log security events for comprehensive visibility - Rate Limiting: (i) Implement rate limiting rules to control the number of requests from any single IP address, reducing the impact of automated attacks, (ii) Use AWS WAF rate-based rules to dynamically adjust thresholds based on observed traffic patterns - Threat Intelligence Integration: (i) Leverage AWS GuardDuty findings to enhance the detection of malicious IPs and correlate with other security data - Periodic Review and Tuning: (i) Regularly review the thresholds and rules for detecting high bad actor scores to ensure they remain effective and relevant, (ii) Adjust parameters'

This alert is triggered when multiple requests from a single source IP are initially blocked by AWS WAF rules, followed by a successful connection or a significant data transfer from the same source IP through CloudFront. This pattern may indicate persistent attempts to bypass security controls, possibly signaling a probing attack or an attempt to exploit potential vulnerabilities after several blocked attempts. The eventual successful connection or large data transfer warrants immediate investigation to ensure it does not represent a breach or an exploitation of a new attack vector. Impact Potential impact of Sequential Blocked and Allowed Requests include: - Persistent Threat Activity: The pattern of multiple blocked requests followed by an allowed request could indicate a persistent attacker. This might suggest that the source IP is involved in probing attacks, attempting to find vulnerabilities in the security configuration - Insider Threat: The eventual allowance of a previously blocked IP might point to interference by an insider, potentially manipulating AWS WAF settings to bypass normal security controls - Configuration Error: Alternatively, this pattern could be indicative of a misconfiguration in AWS WAF rules, leading to inconsistent blocking and allowing of requests, which might expose the system to unanticipated risks Mitigation Mitigation steps for Sequential Blocked and Allowed Requests alert include: - Request Validation: Carefully review all requests intercepted by AWS WAF that originate from the flagged source IP. Scrutinize these for any signs of malicious intent or anomalies - In-depth Investigation: If the requests appear suspicious, perform a detailed analysis of the source IPs and requested URLs. Check for patterns or behaviors typically associated with malicious activity, such as probing or data exfiltration attempts - Rule Review: Verify if other AWS WAF rules were triggered by the same source IP around the time of the incidents. This could indicate a targeted attack and provide insights into the attackeru2019s methods - Log Correlation: Correlate AWS WAF logs with logs from other sources, such as Amazon CloudFront, to detect any anomalous data transfers. This can help identify whether the allowed connections resulted in data leakage or other security breaches - Configuration Audit: Regularly audit the configuration of AWS WAF rules to ensure they are up-to-date and accurately reflect the desired security posture. Adjust settings as necessary to prevent misconfigurations that could lead to security lapses MITRE Tactic: TA0005 MITRE Technique: T1562 MITRE Sub-Technique: 006

'Summary This alert is activated when an unusually high amount of data is transferred out of the network by a potentially malicious source IP which was not blocked by AWS WAF rules. The combination of a potentially malicious source IP and subsequent large-scale data transfer raises concerns of potential data exfiltration. This scenario indicates that the source IP may be exploiting a vulnerability or oversight in WAF configurations to extract significant amounts of data, potentially compromising sensitive information. Impact Potential Impact of possible data exfiltration include: - Persistent Malicious Activity: The activity may indicate persistent attempts by a potentially malicious external actor who has not been successfully blocked by AWS WAF, suggesting the capability to continually attempt data exfiltration. - Insider Threat: There is a risk that an insider may have intentionally altered AWS WAF configurations, such as by whitelisting certain IP addresses, to allow data to be exfiltrated without triggering security mechanisms. - Configuration Errors: Alternatively, the incident could stem from a misconfiguration in the AWS WAF settings, which failed to adequately block or flag traffic from known suspicious sources, allowing the exfiltration of data. Mitigation Mitigation Steps for possible data exfiltration alert include: - Request Validation: Rigorously inspect all requests intercepted by AWS WAF. Pay special attention to those that originate from previously identified suspicious IPs. Evaluate the legitimacy of these requests by analyzing their URLs, URIs, and other request parameters. - In-Depth Investigation: Conduct detailed investigations on suspicious requests. Analyze source IP addresses and assess the content and context of requested URLs and URIs. Determine if these requests could potentially lead to data loss or other security threats. - Rule Correlation: Review whether multiple AWS WAF rules were triggered simultaneously, which could indicate a coordinated attack or a more sophisticated threat vector. - Log Correlation: Correlate AWS WAF logs with other AWS service logs, such as Amazon CloudFront, to track data movements and identify abnormal patterns of data transfer. This can help in pinpointing potential data exfiltration incidents. - Review and Update WAF Rules: Continually update and fine-tune AWS WAF rules based on the latest threat intelligence and the patterns observed in recent incidents. Ensure that these rules effectively address and mitigate the risk of data exfiltration. MITRE Tactic: TA0005 MITRE Technique: T1562 MITRE Sub-Technique: 006'

'Summary This alert is triggered when the response body size for requests with content-types txt or text exceeds a preset threshold. This condition may indicate a potential data exfiltration attempt, where malware or a malicious actor is potentially carrying out an unauthorized transfer of data from the computer. This alert is part of the CloudFront extension pack aimed at identifying and mitigating such security threats by monitoring anomalies in data transfer sizes, especially in text format, which are typically smaller and less scrutinized. Impact Potential impacts of failing to monitor unusually large text-based data transfers include: - Data Exfiltration: Malicious extraction of significant volumes of text data, potentially exposing sensitive or proprietary information. - Security Breach: Large, atypical transfers of text data can indicate that the system has been compromised, with an attacker actively siphoning data. - Compliance Violations: Unregulated data transfers, especially of sensitive nature, can breach compliance protocols, resulting in legal issues and penalties. - Network Strain: Excessive data transfers, even if text-based, can burden network resources, affecting overall system performance and reliability. - Reputational Risk: Incidents involving data leaks, especially through overlooked vectors like text data, can damage organizational reputation and erode stakeholder trust. Mitigation Effective strategies to mitigate the risk of text-based data exfiltration include: - Threshold Adjustments: Fine-tune the alert thresholds for text content types based on typical usage and historical data to enhance accuracy in anomaly detection. - Content Analysis: Implement advanced content analysis tools to scrutinize the nature and necessity of outgoing text data, verifying its legitimacy. - Enhanced Monitoring: Increase monitoring of text data responses, particularly focusing on known sensitive information channels. - Security Enhancements: Strengthen overall data security policies, including encryption and data masking, specifically for text data which may not traditionally be as heavily guarded. MITRE Tactic: TA0040 MITRE Technique: T1530'

This alert is triggered when data egress is higher than usual for a specific domain and path, potentially indicating data exfiltration. This scenario typically suggests an unauthorized or suspicious data transfer, which may indicate a data breach or unexpected application behavior. Monitoring and controlling abnormal data egress is crucial to prevent data loss and identify potential security threats. Impact The potential impacts of not monitoring higher-than-usual data egress for specific domains and paths include: - Data Loss: Significant amounts of sensitive or proprietary data may be extracted without authorization, leading to data loss. - Security Breach: Higher-than-usual data egress can be a sign of a compromised system where data is being exfiltrated by attackers. - Compliance Violations: Unmonitored data transfers can result in violations of data privacy regulations and standards, leading to legal and financial repercussions. - Network Congestion: Abnormal data transfers can consume substantial bandwidth, impacting network performance and the availability of applications. - Reputational Damage: Incidents of data leakage can harm an organizationu2019s reputation, affecting customer trust and business operations. Mitigation Mitigation strategies for excessive data egress for specific domains and paths include: - Threshold Tuning: Adjust the threshold values for data egress alerts based on the expected traffic and response sizes for specific domains and paths to optimize alert sensitivity and specificity. - Traffic Analysis: Regularly analyze traffic patterns for specific domains and paths to identify and authenticate legitimate data transfers while detecting and investigating anomalies. - Security Policies: Implement strict security policies and controls on data access and transfer, ensuring only authorized transactions are allowed for specific domains and paths. - Encryption and Masking: Use encryption and data masking techniques to secure data in transit and at rest, reducing the impact of potential data breaches. - Incident Response Plan: Develop and maintain an incident response plan to swiftly address and mitigate the effects of abnormal data egress for specific domains and paths. MITRE Tactic: TA0010 MITRE Technique: T1020

This alert is triggered when the volume of suspected traffic exceeds the usual baseline. This scenario typically indicates an unusual surge in potentially malicious or unauthorized activity, which may suggest a security threat such as a DDoS attack or abnormal application behavior. Monitoring and controlling suspected traffic is crucial to identify potential security threats and ensure network integrity. Impact The potential impacts of not monitoring higher-than-usual suspected traffic include: - Service Disruption: An abnormal increase in suspected traffic can overwhelm network resources, leading to service outages or degraded performance. - Security Breach: Elevated levels of suspected traffic could be indicative of malicious activity, such as a DDoS attack or an intrusion attempt. - Resource Exhaustion: Unchecked traffic spikes can consume significant network and computational resources, affecting the performance and availability of applications. - Compliance Violations: Failing to monitor and control suspected traffic can result in violations of security policies and standards, leading to legal and financial repercussions. - Reputational Damage: Incidents of unmitigated malicious traffic can harm an organizationu2019s reputation, affecting customer trust and business operations. Mitigation Mitigation strategies for higher-than-usual suspected traffic include: - Baseline Adjustment: Regularly update and adjust baseline traffic levels to accurately reflect normal operational patterns and improve alert accuracy. - Anomaly Detection: Implement advanced anomaly detection systems to identify and respond to unusual traffic patterns in real-time. - Rate Limiting: Apply rate limiting to control the flow of traffic and prevent resource exhaustion during traffic spikes. - Network Segmentation: Use network segmentation to isolate critical systems and minimize the impact of suspected traffic on essential services. MITRE Tactic: TA0043 MITRE Technique: T1498

This alert is specifically designed to activate upon detecting a cache miss event within AWS CloudFront. A cache miss occurs when a requested content is not available in the CloudFront cache and therefore must be retrieved from the origin server. Monitoring cache miss rates is crucial for optimizing content delivery and understanding traffic patterns, which can help in identifying inefficiencies or potential security issues related to content access and delivery. Impact Cache misses in AWS CloudFront can have several significant impacts, - Increased Latency: Cache misses result in longer content delivery times as requests have to reach the origin server. - Higher Load on Origin Servers: Frequent cache misses increase the load on the origin servers, potentially leading to performance bottlenecks. - Increased Operational Costs: Higher data transfer and compute costs occur as more requests are processed by the origin server instead of being served by the cache. - Degraded User Experience: The additional latency and potential for increased error rates can negatively affect the end-user experience. - Security Risks: An unusually high rate of cache misses could indicate security issues such as DDoS attacks aiming to overwhelm the origin server by bypassing the cache. Mitigation To mitigate the risks associated with high cache miss rates in AWS CloudFront, consider implementing the following strategies: - Cache Optimization: Review and optimize your caching strategies by adjusting cache lifetimes and ensuring that content likely to be requested multiple times is cacheable. - Content Delivery Network Adjustments: Modify CloudFront behaviors to make more effective use of the CDN, including tweaking the geographic distribution settings. - Origin Shield: Use AWS CloudFrontu2019s Origin Shield to add an additional caching layer that helps protect the origin. - Load Balancers: Implement load balancing solutions at the origin to manage increased traffic efficiently and ensure high availability and fault tolerance. - Monitoring and Alerts: Enhance monitoring of cache activities and set up alerts for unusual patterns of cache misses that could indicate potential security threats or configuration issues. - Scalability Improvements: Ensure that the origin server infrastructure is scalable to handle high loads during frequent cache misses and peak traffic times. MITRE Tactic: TA0040 MITRE Technique: T1499

This flow alarm is designed to monitor and detect unusually high volumes of requests originating from suspicious IP addresses. It serves as an early warning system, identifying potential distributed attack patterns or coordinated attempts to breach or overwhelm system resources. This alarm assesses traffic patterns in real-time, comparing them against predefined thresholds to determine if the activity deviates from expected norms. Impact The detection of high request volumes from suspicious IPs can indicate several potential security threats, including: - Distributed Denial of Service (DDoS) Attacks: Large volumes of requests can be part of a DDoS attack, aiming to make the service unavailable to legitimate users by overwhelming it. - Brute Force Attacks: High request rates may also indicate brute force attempts, where attackers try numerous combinations to guess login credentials. - Credential Stuffing: Similar to brute force attacks, but specifically using known credential pairs to gain unauthorized access. - Scan and Exploit Activities: Automated tools may be scanning for vulnerabilities to exploit, indicated by a surge in requests from suspicious sources. - Reputation Damage and Compliance Risks: Successful attacks can lead to data breaches, operational disruptions, and violations of compliance regulations, potentially damaging the organizationu2019s reputation and incurring financial penalties. Mitigation Effective mitigation strategies for handling high volumes of suspicious requests include: - Enhanced Filtering: Implement advanced IP filtering and rate limiting to prevent suspicious IPs from making excessive requests. - Threat Intelligence Integration: Use real-time threat intelligence feeds to update and maintain a list of known suspicious IPs, dynamically blocking or flagging traffic from these sources. - Anomaly Detection Systems: Deploy systems that use machine learning and statistical analysis to detect and alert on anomalous traffic patterns. - Security Posture Adjustment: Regularly review and adjust security settings and thresholds based on the latest traffic analysis and threat landscape. - Incident Response Protocols: Develop and maintain robust incident response plans to quickly address potential security breaches, minimizing impact and restoring normal operations. MITRE Tactic: TA0040 MITRE Technique: T1498