Usage:
runreveal logs --name access-denied
The access-denied query will search your Cloudtrail logs for instances that a user or role were blocked from performing an action due to their permissions.
A sudden increase or change in the results of this query is notable and can indicate a compromised account, or someone who may be struggling with IAM.
Usage:
runreveal logs --name access-key-usage
The access-key-usage query will provide an overview of the past 15 minute usage of access keys, and by which IAM users.
This query will show which users are making which API calls, and how many of them. A sudden increase in the quantity of access, or a sudden change in eventNames might indicate a compromised account or misuse of an AWS key.
Usage:
runreveal logs --name aws-key-timeline --param key=AKIAZZZZZZ --param since=24
This has two parameters
key - Is used to specify which AWS key you'd like to generate a timeline.
since - Is used to specify the number of hours into the past that you want to generate the timeline for.
This query is very useful for quickly seeing a exactly what an AWS key has been used for over a specific duration of time.
Usage:
runreveal logs --name failed-login-attempts
Quickly see a list of failed logins, and from which IP, AS number, and country that the attempt originated from. This is useful in quickly identifying attempted unauthorized access to your AWS account.
Usage:
runreveal logs --name global-security-group
This query will show you security groups that were updated in the past 15 minutes with a CIDR ingress rule of 0.0.0.0/0.
Usage:
runreveal logs --name new-access-key-usage
This query will show you if any new access keys were created for a user in the past 15 minutes.
Usage:
runreveal logs --name policy-changes
Quickly see if any aws service has had a policy change in the last 15 minutes.
Usage:
runreveal logs --name root-account-usage
See a list of events that your aws root account has been performing.
Usage:
runreveal logs --name secret-access
List the secrets that have been accessed through secrets manager, and by whom, over the past two hours.
Usage:
runreveal logs --name unknown-console-login
Show recent logins to the AWS console and see if the authenticated user has logged in from that geography before. This will show when a user's geography has rapidly changed, and is a useful query to run on scheduled queries.
Usage:
runreveal logs --name access-by-country --param country=US --param hour=1
Show what access has come from a specific country over a specific timeframe. This query in particular is useful to run on a schedule to look for access from high risk countries that you don't expect to be accessing your systems or docs.
Usage:
runreveal logs --name externally-shared-drive-docs
Show who in your organization has shared docs that are publicly accessible. Useful to run on a schedule to see differences and changes over time. Useful in detecting people leaving your company who may try to take souvenirs.
Usage:
runreveal logs --name user-events --param [email protected] --param hour=5
This will show you what a specific user has done over a specific timeframe.
Usage:
runreveal logs --name higher-avg-trigger-usage
This will show you triggers that are firing at a higher than average rate. Critical for detecting changes in your environment.
The aws triggers are based off of this invictus IR cheat sheet.. Each trigger is written to match the event names in the cheat sheet, across each of categories of compromise related activity