1681175400, search_name="ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", orig_time="1681175400", annotations="{\"analytic_story\":[\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":80,\"mitre_attack\":[\"T1119\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1119", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1119", annotations.nist="DE.AE", aws_account_id="111111111111", bucketName="security-content", count="1816", info_max_time="1683241200.000000000", info_min_time="1675400400.000000000", info_search_time="1683241809.434642000", log_event_prob="-30.2335", max_freq="0.69791", probable_cause="count", probable_cause_freq="0.00001", risk_message="Anomalous S3 activities detected by user arn:aws:iam::111111111111:user/console from 12.26.0.38", risk_object="111111111111", risk_object_type="other", risk_score="64.0", savedsearch_description="This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 by a user within 10 minutes of time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by \"count\" \"user_type\" \"user_arn\" and detects anomaly based on the frequencies.", src_ip="12.26.0.38", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_arn="arn:aws:iam::111111111111:user/console", user_type="IAMUser" 1681175400, search_name="ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", orig_time="1681175400", annotations="{\"analytic_story\":[\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":80,\"mitre_attack\":[\"T1119\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1119", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1119", annotations.nist="DE.AE", aws_account_id="111111111111", bucketName="security-content", count="1816", info_max_time="1683241200.000000000", info_min_time="1675400400.000000000", info_search_time="1683241809.434642000", log_event_prob="-30.2335", max_freq="0.69791", probable_cause="count", probable_cause_freq="0.00001", risk_message="Anomalous S3 activities detected by user arn:aws:iam::111111111111:user/console from 12.26.0.38", risk_object="12.26.0.38", risk_object_type="system", risk_score="64.0", savedsearch_description="This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 by a user within 10 minutes of time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by \"count\" \"user_type\" \"user_arn\" and detects anomaly based on the frequencies.", src_ip="12.26.0.38", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_arn="arn:aws:iam::111111111111:user/console", user_type="IAMUser" 1681175400, search_name="ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", orig_time="1681175400", annotations="{\"analytic_story\":[\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":80,\"mitre_attack\":[\"T1119\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1119", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1119", annotations.nist="DE.AE", aws_account_id="111111111111", bucketName="security-content", count="1816", info_max_time="1683241200.000000000", info_min_time="1675400400.000000000", info_search_time="1683241809.434642000", log_event_prob="-30.2335", max_freq="0.69791", probable_cause="count", probable_cause_freq="0.00001", risk_message="Anomalous S3 activities detected by user arn:aws:iam::111111111111:user/console from 12.26.0.38", risk_object="arn:aws:iam::111111111111:user/console", risk_object_type="user", risk_score="64.0", savedsearch_description="This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 by a user within 10 minutes of time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by \"count\" \"user_type\" \"user_arn\" and detects anomaly based on the frequencies.", src_ip="12.26.0.38", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_arn="arn:aws:iam::111111111111:user/console", user_type="IAMUser" 1681175400, search_name="ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", orig_time="1681175400", annotations="{\"analytic_story\":[\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":80,\"mitre_attack\":[\"T1119\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1119", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1119", annotations.nist="DE.AE", aws_account_id="111111111111", bucketName="security-content", count="2000", info_max_time="1683241200.000000000", info_min_time="1675400400.000000000", info_search_time="1683241809.434642000", log_event_prob="-30.2335", max_freq="0.69791", probable_cause="count", probable_cause_freq="0.00001", risk_message="Anomalous S3 activities detected by user arn:aws:iam::111111111111:user/console from 12.26.0.34", risk_object="111111111111", risk_object_type="other", risk_score="64.0", savedsearch_description="This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 by a user within 10 minutes of time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by \"count\" \"user_type\" \"user_arn\" and detects anomaly based on the frequencies.", src_ip="12.26.0.34", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_arn="arn:aws:iam::111111111111:user/console", user_type="IAMUser" 1681175400, search_name="ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", orig_time="1681175400", annotations="{\"analytic_story\":[\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":80,\"mitre_attack\":[\"T1119\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1119", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1119", annotations.nist="DE.AE", aws_account_id="111111111111", bucketName="security-content", count="2000", info_max_time="1683241200.000000000", info_min_time="1675400400.000000000", info_search_time="1683241809.434642000", log_event_prob="-30.2335", max_freq="0.69791", probable_cause="count", probable_cause_freq="0.00001", risk_message="Anomalous S3 activities detected by user arn:aws:iam::111111111111:user/console from 12.26.0.34", risk_object="12.26.0.34", risk_object_type="system", risk_score="64.0", savedsearch_description="This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 by a user within 10 minutes of time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by \"count\" \"user_type\" \"user_arn\" and detects anomaly based on the frequencies.", src_ip="12.26.0.34", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_arn="arn:aws:iam::111111111111:user/console", user_type="IAMUser" 1681175400, search_name="ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", orig_time="1681175400", annotations="{\"analytic_story\":[\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":80,\"mitre_attack\":[\"T1119\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1119", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1119", annotations.nist="DE.AE", aws_account_id="111111111111", bucketName="security-content", count="2000", info_max_time="1683241200.000000000", info_min_time="1675400400.000000000", info_search_time="1683241809.434642000", log_event_prob="-30.2335", max_freq="0.69791", probable_cause="count", probable_cause_freq="0.00001", risk_message="Anomalous S3 activities detected by user arn:aws:iam::111111111111:user/console from 12.26.0.34", risk_object="arn:aws:iam::111111111111:user/console", risk_object_type="user", risk_score="64.0", savedsearch_description="This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 by a user within 10 minutes of time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by \"count\" \"user_type\" \"user_arn\" and detects anomaly based on the frequencies.", src_ip="12.26.0.34", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_arn="arn:aws:iam::111111111111:user/console", user_type="IAMUser" 1681174800, search_name="ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", orig_time="1681174800", annotations="{\"analytic_story\":[\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":80,\"mitre_attack\":[\"T1119\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1119", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1119", annotations.nist="DE.AE", aws_account_id="111111111111", bucketName="security-content", count="3670", info_max_time="1683241200.000000000", info_min_time="1675400400.000000000", info_search_time="1683241809.434642000", log_event_prob="-30.2335", max_freq="0.69791", probable_cause="count", probable_cause_freq="0.00001", risk_message="Anomalous S3 activities detected by user arn:aws:iam::111111111111:user/console from 12.26.0.34", risk_object="111111111111", risk_object_type="other", risk_score="64.0", savedsearch_description="This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 by a user within 10 minutes of time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by \"count\" \"user_type\" \"user_arn\" and detects anomaly based on the frequencies.", src_ip="12.26.0.34", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_arn="arn:aws:iam::111111111111:user/console", user_type="IAMUser" 1681174800, search_name="ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", orig_time="1681174800", annotations="{\"analytic_story\":[\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":80,\"mitre_attack\":[\"T1119\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1119", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1119", annotations.nist="DE.AE", aws_account_id="111111111111", bucketName="security-content", count="3670", info_max_time="1683241200.000000000", info_min_time="1675400400.000000000", info_search_time="1683241809.434642000", log_event_prob="-30.2335", max_freq="0.69791", probable_cause="count", probable_cause_freq="0.00001", risk_message="Anomalous S3 activities detected by user arn:aws:iam::111111111111:user/console from 12.26.0.34", risk_object="12.26.0.34", risk_object_type="system", risk_score="64.0", savedsearch_description="This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 by a user within 10 minutes of time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by \"count\" \"user_type\" \"user_arn\" and detects anomaly based on the frequencies.", src_ip="12.26.0.34", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_arn="arn:aws:iam::111111111111:user/console", user_type="IAMUser" 1681174800, search_name="ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", orig_time="1681174800", annotations="{\"analytic_story\":[\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":80,\"mitre_attack\":[\"T1119\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1119", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1119", annotations.nist="DE.AE", aws_account_id="111111111111", bucketName="security-content", count="3670", info_max_time="1683241200.000000000", info_min_time="1675400400.000000000", info_search_time="1683241809.434642000", log_event_prob="-30.2335", max_freq="0.69791", probable_cause="count", probable_cause_freq="0.00001", risk_message="Anomalous S3 activities detected by user arn:aws:iam::111111111111:user/console from 12.26.0.34", risk_object="arn:aws:iam::111111111111:user/console", risk_object_type="user", risk_score="64.0", savedsearch_description="This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 by a user within 10 minutes of time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by \"count\" \"user_type\" \"user_arn\" and detects anomaly based on the frequencies.", src_ip="12.26.0.34", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_arn="arn:aws:iam::111111111111:user/console", user_type="IAMUser" 1679351496, search_name="ESCU - AWS EC2 Snapshot Shared Externally - Rule", orig_time="1679351496", annotations="{\"analytic_story\":[\"Suspicious Cloud Instance Activities\",\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":60,\"mitre_attack\":[\"T1537\"],\"nist\":[\"DE.CM\"]}", annotations._all="Suspicious Cloud Instance Activities", annotations._all="Data Exfiltration", annotations._all="T1537", annotations._all="DE.CM", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Cloud Instance Activities", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1537", annotations.nist="DE.CM", aws_account_id="111111111111", info_max_time="1683241200.000000000", info_min_time="1675400400.000000000", info_search_time="1683241819.680021000", match="No Match", requestParameters.attributeType="CREATE_VOLUME_PERMISSION", requested_account_id="012345678912", risk_message="AWS EC2 snapshot from account 111111111111 is shared with 012345678912 by user arn:aws:iam::111111111111:user/console from 72.135.245.10", risk_object="72.135.245.10", risk_object_type="system", risk_score="48.0", savedsearch_description="The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot.", src_ip="72.135.245.10", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_agent="stratus-red-team_46665bb8-dc15-4aba-a5ad-a362772b3f0d", user_arn="arn:aws:iam::111111111111:user/console", vendor_region="us-west-2" 1679351496, search_name="ESCU - AWS EC2 Snapshot Shared Externally - Rule", orig_time="1679351496", annotations="{\"analytic_story\":[\"Suspicious Cloud Instance Activities\",\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":60,\"mitre_attack\":[\"T1537\"],\"nist\":[\"DE.CM\"]}", annotations._all="Suspicious Cloud Instance Activities", annotations._all="Data Exfiltration", annotations._all="T1537", annotations._all="DE.CM", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Cloud Instance Activities", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1537", annotations.nist="DE.CM", aws_account_id="111111111111", info_max_time="1683241200.000000000", info_min_time="1675400400.000000000", info_search_time="1683241819.680021000", match="No Match", requestParameters.attributeType="CREATE_VOLUME_PERMISSION", requested_account_id="012345678912", risk_message="AWS EC2 snapshot from account 111111111111 is shared with 012345678912 by user arn:aws:iam::111111111111:user/console from 72.135.245.10", risk_object="arn:aws:iam::111111111111:user/console", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot.", src_ip="72.135.245.10", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_agent="stratus-red-team_46665bb8-dc15-4aba-a5ad-a362772b3f0d", user_arn="arn:aws:iam::111111111111:user/console", vendor_region="us-west-2" 1680633876, search_name="ESCU - AWS EC2 Snapshot Shared Externally - Rule", orig_time="1680633876", annotations="{\"analytic_story\":[\"Suspicious Cloud Instance Activities\",\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":60,\"mitre_attack\":[\"T1537\"],\"nist\":[\"DE.CM\"]}", annotations._all="Suspicious Cloud Instance Activities", annotations._all="Data Exfiltration", annotations._all="T1537", annotations._all="DE.CM", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Cloud Instance Activities", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1537", annotations.nist="DE.CM", aws_account_id="111111111111", info_max_time="1683241200.000000000", info_min_time="1675400400.000000000", info_search_time="1683241819.680021000", match="No Match", requestParameters.attributeType="CREATE_VOLUME_PERMISSION", requested_account_id="012345678912", risk_message="AWS EC2 snapshot from account 111111111111 is shared with 012345678912 by user arn:aws:iam::111111111111:user/console from 72.135.245.10", risk_object="72.135.245.10", risk_object_type="system", risk_score="48.0", savedsearch_description="The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot.", src_ip="72.135.245.10", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_agent="stratus-red-team_4c220c06-8ecb-400a-85b5-ca84c7226979", user_arn="arn:aws:iam::111111111111:user/console", vendor_region="us-west-2" 1680633876, search_name="ESCU - AWS EC2 Snapshot Shared Externally - Rule", orig_time="1680633876", annotations="{\"analytic_story\":[\"Suspicious Cloud Instance Activities\",\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":60,\"mitre_attack\":[\"T1537\"],\"nist\":[\"DE.CM\"]}", annotations._all="Suspicious Cloud Instance Activities", annotations._all="Data Exfiltration", annotations._all="T1537", annotations._all="DE.CM", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Cloud Instance Activities", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1537", annotations.nist="DE.CM", aws_account_id="111111111111", info_max_time="1683241200.000000000", info_min_time="1675400400.000000000", info_search_time="1683241819.680021000", match="No Match", requestParameters.attributeType="CREATE_VOLUME_PERMISSION", requested_account_id="012345678912", risk_message="AWS EC2 snapshot from account 111111111111 is shared with 012345678912 by user arn:aws:iam::111111111111:user/console from 72.135.245.10", risk_object="arn:aws:iam::111111111111:user/console", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot.", src_ip="72.135.245.10", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_agent="stratus-red-team_4c220c06-8ecb-400a-85b5-ca84c7226979", user_arn="arn:aws:iam::111111111111:user/console", vendor_region="us-west-2" 1680633113, search_name="ESCU - AWS EC2 Snapshot Shared Externally - Rule", orig_time="1680633113", annotations="{\"analytic_story\":[\"Suspicious Cloud Instance Activities\",\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":60,\"mitre_attack\":[\"T1537\"],\"nist\":[\"DE.CM\"]}", annotations._all="Suspicious Cloud Instance Activities", annotations._all="Data Exfiltration", annotations._all="T1537", annotations._all="DE.CM", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Cloud Instance Activities", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1537", annotations.nist="DE.CM", aws_account_id="111111111111", info_max_time="1683241200.000000000", info_min_time="1675400400.000000000", info_search_time="1683241819.680021000", match="No Match", requestParameters.attributeType="CREATE_VOLUME_PERMISSION", requested_account_id="012345678912", risk_message="AWS EC2 snapshot from account 111111111111 is shared with 012345678912 by user arn:aws:iam::111111111111:user/console from 72.135.245.10", risk_object="72.135.245.10", risk_object_type="system", risk_score="48.0", savedsearch_description="The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot.", src_ip="72.135.245.10", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_agent="stratus-red-team_77e9597e-a03e-418d-a3c9-af89e78d95c6", user_arn="arn:aws:iam::111111111111:user/console", vendor_region="us-west-2" 1680633113, search_name="ESCU - AWS EC2 Snapshot Shared Externally - Rule", orig_time="1680633113", annotations="{\"analytic_story\":[\"Suspicious Cloud Instance Activities\",\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":60,\"mitre_attack\":[\"T1537\"],\"nist\":[\"DE.CM\"]}", annotations._all="Suspicious Cloud Instance Activities", annotations._all="Data Exfiltration", annotations._all="T1537", annotations._all="DE.CM", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Cloud Instance Activities", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1537", annotations.nist="DE.CM", aws_account_id="111111111111", info_max_time="1683241200.000000000", info_min_time="1675400400.000000000", info_search_time="1683241819.680021000", match="No Match", requestParameters.attributeType="CREATE_VOLUME_PERMISSION", requested_account_id="012345678912", risk_message="AWS EC2 snapshot from account 111111111111 is shared with 012345678912 by user arn:aws:iam::111111111111:user/console from 72.135.245.10", risk_object="arn:aws:iam::111111111111:user/console", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot.", src_ip="72.135.245.10", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_agent="stratus-red-team_77e9597e-a03e-418d-a3c9-af89e78d95c6", user_arn="arn:aws:iam::111111111111:user/console", vendor_region="us-west-2" 1680632969, search_name="ESCU - AWS EC2 Snapshot Shared Externally - Rule", orig_time="1680632969", annotations="{\"analytic_story\":[\"Suspicious Cloud Instance Activities\",\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":60,\"mitre_attack\":[\"T1537\"],\"nist\":[\"DE.CM\"]}", annotations._all="Suspicious Cloud Instance Activities", annotations._all="Data Exfiltration", annotations._all="T1537", annotations._all="DE.CM", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Cloud Instance Activities", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1537", annotations.nist="DE.CM", aws_account_id="111111111111", info_max_time="1683241200.000000000", info_min_time="1675400400.000000000", info_search_time="1683241819.680021000", match="No Match", requestParameters.attributeType="CREATE_VOLUME_PERMISSION", requested_account_id="012345678912", risk_message="AWS EC2 snapshot from account 111111111111 is shared with 012345678912 by user arn:aws:iam::111111111111:user/console from 72.135.245.10", risk_object="72.135.245.10", risk_object_type="system", risk_score="48.0", savedsearch_description="The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot.", src_ip="72.135.245.10", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_agent="stratus-red-team_4282d8f1-3af0-4f51-9073-fe617c4e0b02", user_arn="arn:aws:iam::111111111111:user/console", vendor_region="us-west-2" 1680632969, search_name="ESCU - AWS EC2 Snapshot Shared Externally - Rule", orig_time="1680632969", annotations="{\"analytic_story\":[\"Suspicious Cloud Instance Activities\",\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":60,\"mitre_attack\":[\"T1537\"],\"nist\":[\"DE.CM\"]}", annotations._all="Suspicious Cloud Instance Activities", annotations._all="Data Exfiltration", annotations._all="T1537", annotations._all="DE.CM", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Cloud Instance Activities", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1537", annotations.nist="DE.CM", aws_account_id="111111111111", info_max_time="1683241200.000000000", info_min_time="1675400400.000000000", info_search_time="1683241819.680021000", match="No Match", requestParameters.attributeType="CREATE_VOLUME_PERMISSION", requested_account_id="012345678912", risk_message="AWS EC2 snapshot from account 111111111111 is shared with 012345678912 by user arn:aws:iam::111111111111:user/console from 72.135.245.10", risk_object="arn:aws:iam::111111111111:user/console", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot.", src_ip="72.135.245.10", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_agent="stratus-red-team_4282d8f1-3af0-4f51-9073-fe617c4e0b02", user_arn="arn:aws:iam::111111111111:user/console", vendor_region="us-west-2" 1680632364, search_name="ESCU - AWS EC2 Snapshot Shared Externally - Rule", orig_time="1680632364", annotations="{\"analytic_story\":[\"Suspicious Cloud Instance Activities\",\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":60,\"mitre_attack\":[\"T1537\"],\"nist\":[\"DE.CM\"]}", annotations._all="Suspicious Cloud Instance Activities", annotations._all="Data Exfiltration", annotations._all="T1537", annotations._all="DE.CM", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Cloud Instance Activities", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1537", annotations.nist="DE.CM", aws_account_id="111111111111", info_max_time="1683241200.000000000", info_min_time="1675400400.000000000", info_search_time="1683241819.680021000", match="No Match", requestParameters.attributeType="CREATE_VOLUME_PERMISSION", requested_account_id="012345678912", risk_message="AWS EC2 snapshot from account 111111111111 is shared with 012345678912 by user arn:aws:iam::111111111111:user/console from 72.135.245.10", risk_object="72.135.245.10", risk_object_type="system", risk_score="48.0", savedsearch_description="The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot.", src_ip="72.135.245.10", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_agent="stratus-red-team_732725b0-228d-4d40-af0c-481353f8665b", user_arn="arn:aws:iam::111111111111:user/console", vendor_region="us-west-2" 1680632364, search_name="ESCU - AWS EC2 Snapshot Shared Externally - Rule", orig_time="1680632364", annotations="{\"analytic_story\":[\"Suspicious Cloud Instance Activities\",\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":60,\"mitre_attack\":[\"T1537\"],\"nist\":[\"DE.CM\"]}", annotations._all="Suspicious Cloud Instance Activities", annotations._all="Data Exfiltration", annotations._all="T1537", annotations._all="DE.CM", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Cloud Instance Activities", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1537", annotations.nist="DE.CM", aws_account_id="111111111111", info_max_time="1683241200.000000000", info_min_time="1675400400.000000000", info_search_time="1683241819.680021000", match="No Match", requestParameters.attributeType="CREATE_VOLUME_PERMISSION", requested_account_id="012345678912", risk_message="AWS EC2 snapshot from account 111111111111 is shared with 012345678912 by user arn:aws:iam::111111111111:user/console from 72.135.245.10", risk_object="arn:aws:iam::111111111111:user/console", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot.", src_ip="72.135.245.10", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_agent="stratus-red-team_732725b0-228d-4d40-af0c-481353f8665b", user_arn="arn:aws:iam::111111111111:user/console", vendor_region="us-west-2" 1681175400, search_name="ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", orig_time="1681175400", annotations="{\"analytic_story\":[\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":80,\"mitre_attack\":[\"T1119\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1119", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1119", annotations.nist="DE.AE", aws_account_id="111111111111", bucketName="security-content", count="1816", info_max_time="1683240900.000000000", info_min_time="1675400400.000000000", info_search_time="1683241510.712016000", log_event_prob="-30.2335", max_freq="0.69791", probable_cause="count", probable_cause_freq="0.00001", risk_message="Anomalous S3 activities detected by user arn:aws:iam::111111111111:user/console from 12.26.0.38", risk_object="111111111111", risk_object_type="other", risk_score="64.0", savedsearch_description="This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 by a user within 10 minutes of time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by \"count\" \"user_type\" \"user_arn\" and detects anomaly based on the frequencies.", src_ip="12.26.0.38", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_arn="arn:aws:iam::111111111111:user/console", user_type="IAMUser" 1681175400, search_name="ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", orig_time="1681175400", annotations="{\"analytic_story\":[\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":80,\"mitre_attack\":[\"T1119\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1119", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1119", annotations.nist="DE.AE", aws_account_id="111111111111", bucketName="security-content", count="1816", info_max_time="1683240900.000000000", info_min_time="1675400400.000000000", info_search_time="1683241510.712016000", log_event_prob="-30.2335", max_freq="0.69791", probable_cause="count", probable_cause_freq="0.00001", risk_message="Anomalous S3 activities detected by user arn:aws:iam::111111111111:user/console from 12.26.0.38", risk_object="12.26.0.38", risk_object_type="system", risk_score="64.0", savedsearch_description="This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 by a user within 10 minutes of time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by \"count\" \"user_type\" \"user_arn\" and detects anomaly based on the frequencies.", src_ip="12.26.0.38", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_arn="arn:aws:iam::111111111111:user/console", user_type="IAMUser" 1681175400, search_name="ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", orig_time="1681175400", annotations="{\"analytic_story\":[\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":80,\"mitre_attack\":[\"T1119\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1119", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1119", annotations.nist="DE.AE", aws_account_id="111111111111", bucketName="security-content", count="1816", info_max_time="1683240900.000000000", info_min_time="1675400400.000000000", info_search_time="1683241510.712016000", log_event_prob="-30.2335", max_freq="0.69791", probable_cause="count", probable_cause_freq="0.00001", risk_message="Anomalous S3 activities detected by user arn:aws:iam::111111111111:user/console from 12.26.0.38", risk_object="arn:aws:iam::111111111111:user/console", risk_object_type="user", risk_score="64.0", savedsearch_description="This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 by a user within 10 minutes of time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by \"count\" \"user_type\" \"user_arn\" and detects anomaly based on the frequencies.", src_ip="12.26.0.38", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_arn="arn:aws:iam::111111111111:user/console", user_type="IAMUser" 1681175400, search_name="ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", orig_time="1681175400", annotations="{\"analytic_story\":[\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":80,\"mitre_attack\":[\"T1119\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1119", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1119", annotations.nist="DE.AE", aws_account_id="111111111111", bucketName="security-content", count="2000", info_max_time="1683240900.000000000", info_min_time="1675400400.000000000", info_search_time="1683241510.712016000", log_event_prob="-30.2335", max_freq="0.69791", probable_cause="count", probable_cause_freq="0.00001", risk_message="Anomalous S3 activities detected by user arn:aws:iam::111111111111:user/console from 12.26.0.34", risk_object="111111111111", risk_object_type="other", risk_score="64.0", savedsearch_description="This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 by a user within 10 minutes of time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by \"count\" \"user_type\" \"user_arn\" and detects anomaly based on the frequencies.", src_ip="12.26.0.34", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_arn="arn:aws:iam::111111111111:user/console", user_type="IAMUser" 1681175400, search_name="ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", orig_time="1681175400", annotations="{\"analytic_story\":[\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":80,\"mitre_attack\":[\"T1119\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1119", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1119", annotations.nist="DE.AE", aws_account_id="111111111111", bucketName="security-content", count="2000", info_max_time="1683240900.000000000", info_min_time="1675400400.000000000", info_search_time="1683241510.712016000", log_event_prob="-30.2335", max_freq="0.69791", probable_cause="count", probable_cause_freq="0.00001", risk_message="Anomalous S3 activities detected by user arn:aws:iam::111111111111:user/console from 12.26.0.34", risk_object="12.26.0.34", risk_object_type="system", risk_score="64.0", savedsearch_description="This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 by a user within 10 minutes of time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by \"count\" \"user_type\" \"user_arn\" and detects anomaly based on the frequencies.", src_ip="12.26.0.34", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_arn="arn:aws:iam::111111111111:user/console", user_type="IAMUser" 1681175400, search_name="ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", orig_time="1681175400", annotations="{\"analytic_story\":[\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":80,\"mitre_attack\":[\"T1119\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1119", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1119", annotations.nist="DE.AE", aws_account_id="111111111111", bucketName="security-content", count="2000", info_max_time="1683240900.000000000", info_min_time="1675400400.000000000", info_search_time="1683241510.712016000", log_event_prob="-30.2335", max_freq="0.69791", probable_cause="count", probable_cause_freq="0.00001", risk_message="Anomalous S3 activities detected by user arn:aws:iam::111111111111:user/console from 12.26.0.34", risk_object="arn:aws:iam::111111111111:user/console", risk_object_type="user", risk_score="64.0", savedsearch_description="This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 by a user within 10 minutes of time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by \"count\" \"user_type\" \"user_arn\" and detects anomaly based on the frequencies.", src_ip="12.26.0.34", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_arn="arn:aws:iam::111111111111:user/console", user_type="IAMUser" 1681174800, search_name="ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", orig_time="1681174800", annotations="{\"analytic_story\":[\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":80,\"mitre_attack\":[\"T1119\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1119", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1119", annotations.nist="DE.AE", aws_account_id="111111111111", bucketName="security-content", count="3670", info_max_time="1683240900.000000000", info_min_time="1675400400.000000000", info_search_time="1683241510.712016000", log_event_prob="-30.2335", max_freq="0.69791", probable_cause="count", probable_cause_freq="0.00001", risk_message="Anomalous S3 activities detected by user arn:aws:iam::111111111111:user/console from 12.26.0.34", risk_object="111111111111", risk_object_type="other", risk_score="64.0", savedsearch_description="This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 by a user within 10 minutes of time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by \"count\" \"user_type\" \"user_arn\" and detects anomaly based on the frequencies.", src_ip="12.26.0.34", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_arn="arn:aws:iam::111111111111:user/console", user_type="IAMUser" 1681174800, search_name="ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", orig_time="1681174800", annotations="{\"analytic_story\":[\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":80,\"mitre_attack\":[\"T1119\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1119", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1119", annotations.nist="DE.AE", aws_account_id="111111111111", bucketName="security-content", count="3670", info_max_time="1683240900.000000000", info_min_time="1675400400.000000000", info_search_time="1683241510.712016000", log_event_prob="-30.2335", max_freq="0.69791", probable_cause="count", probable_cause_freq="0.00001", risk_message="Anomalous S3 activities detected by user arn:aws:iam::111111111111:user/console from 12.26.0.34", risk_object="12.26.0.34", risk_object_type="system", risk_score="64.0", savedsearch_description="This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 by a user within 10 minutes of time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by \"count\" \"user_type\" \"user_arn\" and detects anomaly based on the frequencies.", src_ip="12.26.0.34", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_arn="arn:aws:iam::111111111111:user/console", user_type="IAMUser" 1681174800, search_name="ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", orig_time="1681174800", annotations="{\"analytic_story\":[\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":80,\"mitre_attack\":[\"T1119\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1119", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1119", annotations.nist="DE.AE", aws_account_id="111111111111", bucketName="security-content", count="3670", info_max_time="1683240900.000000000", info_min_time="1675400400.000000000", info_search_time="1683241510.712016000", log_event_prob="-30.2335", max_freq="0.69791", probable_cause="count", probable_cause_freq="0.00001", risk_message="Anomalous S3 activities detected by user arn:aws:iam::111111111111:user/console from 12.26.0.34", risk_object="arn:aws:iam::111111111111:user/console", risk_object_type="user", risk_score="64.0", savedsearch_description="This search uses built in Splunk command `| anomalydetection` to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 by a user within 10 minutes of time window. The field `probable_cause` is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by \"count\" \"user_type\" \"user_arn\" and detects anomaly based on the frequencies.", src_ip="12.26.0.34", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_arn="arn:aws:iam::111111111111:user/console", user_type="IAMUser" 1679351496, search_name="ESCU - AWS EC2 Snapshot Shared Externally - Rule", orig_time="1679351496", annotations="{\"analytic_story\":[\"Suspicious Cloud Instance Activities\",\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":60,\"mitre_attack\":[\"T1537\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Suspicious Cloud Instance Activities", annotations._all="T1537", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Cloud Instance Activities", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1537", annotations.nist="DE.CM", aws_account_id="111111111111", info_max_time="1683240900.000000000", info_min_time="1675400400.000000000", info_search_time="1683241519.998463000", match="No Match", requestParameters.attributeType="CREATE_VOLUME_PERMISSION", requested_account_id="012345678912", risk_message="AWS EC2 snapshot from account 111111111111 is shared with 012345678912 by user arn:aws:iam::111111111111:user/console from 72.135.245.10", risk_object="72.135.245.10", risk_object_type="system", risk_score="48.0", savedsearch_description="The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot.", src_ip="72.135.245.10", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_agent="stratus-red-team_46665bb8-dc15-4aba-a5ad-a362772b3f0d", user_arn="arn:aws:iam::111111111111:user/console", vendor_region="us-west-2" 1679351496, search_name="ESCU - AWS EC2 Snapshot Shared Externally - Rule", orig_time="1679351496", annotations="{\"analytic_story\":[\"Suspicious Cloud Instance Activities\",\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":60,\"mitre_attack\":[\"T1537\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Suspicious Cloud Instance Activities", annotations._all="T1537", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Cloud Instance Activities", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1537", annotations.nist="DE.CM", aws_account_id="111111111111", info_max_time="1683240900.000000000", info_min_time="1675400400.000000000", info_search_time="1683241519.998463000", match="No Match", requestParameters.attributeType="CREATE_VOLUME_PERMISSION", requested_account_id="012345678912", risk_message="AWS EC2 snapshot from account 111111111111 is shared with 012345678912 by user arn:aws:iam::111111111111:user/console from 72.135.245.10", risk_object="arn:aws:iam::111111111111:user/console", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot.", src_ip="72.135.245.10", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_agent="stratus-red-team_46665bb8-dc15-4aba-a5ad-a362772b3f0d", user_arn="arn:aws:iam::111111111111:user/console", vendor_region="us-west-2" 1680633876, search_name="ESCU - AWS EC2 Snapshot Shared Externally - Rule", orig_time="1680633876", annotations="{\"analytic_story\":[\"Suspicious Cloud Instance Activities\",\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":60,\"mitre_attack\":[\"T1537\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Suspicious Cloud Instance Activities", annotations._all="T1537", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Cloud Instance Activities", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1537", annotations.nist="DE.CM", aws_account_id="111111111111", info_max_time="1683240900.000000000", info_min_time="1675400400.000000000", info_search_time="1683241519.998463000", match="No Match", requestParameters.attributeType="CREATE_VOLUME_PERMISSION", requested_account_id="012345678912", risk_message="AWS EC2 snapshot from account 111111111111 is shared with 012345678912 by user arn:aws:iam::111111111111:user/console from 72.135.245.10", risk_object="72.135.245.10", risk_object_type="system", risk_score="48.0", savedsearch_description="The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot.", src_ip="72.135.245.10", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_agent="stratus-red-team_4c220c06-8ecb-400a-85b5-ca84c7226979", user_arn="arn:aws:iam::111111111111:user/console", vendor_region="us-west-2" 1680633876, search_name="ESCU - AWS EC2 Snapshot Shared Externally - Rule", orig_time="1680633876", annotations="{\"analytic_story\":[\"Suspicious Cloud Instance Activities\",\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":60,\"mitre_attack\":[\"T1537\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Suspicious Cloud Instance Activities", annotations._all="T1537", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Cloud Instance Activities", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1537", annotations.nist="DE.CM", aws_account_id="111111111111", info_max_time="1683240900.000000000", info_min_time="1675400400.000000000", info_search_time="1683241519.998463000", match="No Match", requestParameters.attributeType="CREATE_VOLUME_PERMISSION", requested_account_id="012345678912", risk_message="AWS EC2 snapshot from account 111111111111 is shared with 012345678912 by user arn:aws:iam::111111111111:user/console from 72.135.245.10", risk_object="arn:aws:iam::111111111111:user/console", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot.", src_ip="72.135.245.10", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_agent="stratus-red-team_4c220c06-8ecb-400a-85b5-ca84c7226979", user_arn="arn:aws:iam::111111111111:user/console", vendor_region="us-west-2" 1680633113, search_name="ESCU - AWS EC2 Snapshot Shared Externally - Rule", orig_time="1680633113", annotations="{\"analytic_story\":[\"Suspicious Cloud Instance Activities\",\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":60,\"mitre_attack\":[\"T1537\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Suspicious Cloud Instance Activities", annotations._all="T1537", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Cloud Instance Activities", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1537", annotations.nist="DE.CM", aws_account_id="111111111111", info_max_time="1683240900.000000000", info_min_time="1675400400.000000000", info_search_time="1683241519.998463000", match="No Match", requestParameters.attributeType="CREATE_VOLUME_PERMISSION", requested_account_id="012345678912", risk_message="AWS EC2 snapshot from account 111111111111 is shared with 012345678912 by user arn:aws:iam::111111111111:user/console from 72.135.245.10", risk_object="72.135.245.10", risk_object_type="system", risk_score="48.0", savedsearch_description="The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot.", src_ip="72.135.245.10", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_agent="stratus-red-team_77e9597e-a03e-418d-a3c9-af89e78d95c6", user_arn="arn:aws:iam::111111111111:user/console", vendor_region="us-west-2" 1680633113, search_name="ESCU - AWS EC2 Snapshot Shared Externally - Rule", orig_time="1680633113", annotations="{\"analytic_story\":[\"Suspicious Cloud Instance Activities\",\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":60,\"mitre_attack\":[\"T1537\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Suspicious Cloud Instance Activities", annotations._all="T1537", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Cloud Instance Activities", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1537", annotations.nist="DE.CM", aws_account_id="111111111111", info_max_time="1683240900.000000000", info_min_time="1675400400.000000000", info_search_time="1683241519.998463000", match="No Match", requestParameters.attributeType="CREATE_VOLUME_PERMISSION", requested_account_id="012345678912", risk_message="AWS EC2 snapshot from account 111111111111 is shared with 012345678912 by user arn:aws:iam::111111111111:user/console from 72.135.245.10", risk_object="arn:aws:iam::111111111111:user/console", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot.", src_ip="72.135.245.10", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_agent="stratus-red-team_77e9597e-a03e-418d-a3c9-af89e78d95c6", user_arn="arn:aws:iam::111111111111:user/console", vendor_region="us-west-2" 1680632969, search_name="ESCU - AWS EC2 Snapshot Shared Externally - Rule", orig_time="1680632969", annotations="{\"analytic_story\":[\"Suspicious Cloud Instance Activities\",\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":60,\"mitre_attack\":[\"T1537\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Suspicious Cloud Instance Activities", annotations._all="T1537", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Cloud Instance Activities", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1537", annotations.nist="DE.CM", aws_account_id="111111111111", info_max_time="1683240900.000000000", info_min_time="1675400400.000000000", info_search_time="1683241519.998463000", match="No Match", requestParameters.attributeType="CREATE_VOLUME_PERMISSION", requested_account_id="012345678912", risk_message="AWS EC2 snapshot from account 111111111111 is shared with 012345678912 by user arn:aws:iam::111111111111:user/console from 72.135.245.10", risk_object="72.135.245.10", risk_object_type="system", risk_score="48.0", savedsearch_description="The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot.", src_ip="72.135.245.10", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_agent="stratus-red-team_4282d8f1-3af0-4f51-9073-fe617c4e0b02", user_arn="arn:aws:iam::111111111111:user/console", vendor_region="us-west-2" 1680632969, search_name="ESCU - AWS EC2 Snapshot Shared Externally - Rule", orig_time="1680632969", annotations="{\"analytic_story\":[\"Suspicious Cloud Instance Activities\",\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":60,\"mitre_attack\":[\"T1537\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Suspicious Cloud Instance Activities", annotations._all="T1537", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Cloud Instance Activities", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1537", annotations.nist="DE.CM", aws_account_id="111111111111", info_max_time="1683240900.000000000", info_min_time="1675400400.000000000", info_search_time="1683241519.998463000", match="No Match", requestParameters.attributeType="CREATE_VOLUME_PERMISSION", requested_account_id="012345678912", risk_message="AWS EC2 snapshot from account 111111111111 is shared with 012345678912 by user arn:aws:iam::111111111111:user/console from 72.135.245.10", risk_object="arn:aws:iam::111111111111:user/console", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot.", src_ip="72.135.245.10", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_agent="stratus-red-team_4282d8f1-3af0-4f51-9073-fe617c4e0b02", user_arn="arn:aws:iam::111111111111:user/console", vendor_region="us-west-2" 1680632364, search_name="ESCU - AWS EC2 Snapshot Shared Externally - Rule", orig_time="1680632364", annotations="{\"analytic_story\":[\"Suspicious Cloud Instance Activities\",\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":60,\"mitre_attack\":[\"T1537\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Suspicious Cloud Instance Activities", annotations._all="T1537", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Cloud Instance Activities", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1537", annotations.nist="DE.CM", aws_account_id="111111111111", info_max_time="1683240900.000000000", info_min_time="1675400400.000000000", info_search_time="1683241519.998463000", match="No Match", requestParameters.attributeType="CREATE_VOLUME_PERMISSION", requested_account_id="012345678912", risk_message="AWS EC2 snapshot from account 111111111111 is shared with 012345678912 by user arn:aws:iam::111111111111:user/console from 72.135.245.10", risk_object="72.135.245.10", risk_object_type="system", risk_score="48.0", savedsearch_description="The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot.", src_ip="72.135.245.10", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_agent="stratus-red-team_732725b0-228d-4d40-af0c-481353f8665b", user_arn="arn:aws:iam::111111111111:user/console", vendor_region="us-west-2" 1680632364, search_name="ESCU - AWS EC2 Snapshot Shared Externally - Rule", orig_time="1680632364", annotations="{\"analytic_story\":[\"Suspicious Cloud Instance Activities\",\"Data Exfiltration\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":60,\"mitre_attack\":[\"T1537\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Suspicious Cloud Instance Activities", annotations._all="T1537", annotations._all="Data Exfiltration", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Suspicious Cloud Instance Activities", annotations.analytic_story="Data Exfiltration", annotations.cis20="CIS 10", annotations.mitre_attack="T1537", annotations.nist="DE.CM", aws_account_id="111111111111", info_max_time="1683240900.000000000", info_min_time="1675400400.000000000", info_search_time="1683241519.998463000", match="No Match", requestParameters.attributeType="CREATE_VOLUME_PERMISSION", requested_account_id="012345678912", risk_message="AWS EC2 snapshot from account 111111111111 is shared with 012345678912 by user arn:aws:iam::111111111111:user/console from 72.135.245.10", risk_object="arn:aws:iam::111111111111:user/console", risk_object_type="user", risk_score="48.0", savedsearch_description="The following analytic utilizes AWS CloudTrail events to identify when an EC2 snapshot permissions are modified to be shared with a different AWS account. This method is used by adversaries to exfiltrate the EC2 snapshot.", src_ip="72.135.245.10", userIdentity.principalId="AIDAYTQQP2RLCNEAQXQQQ", user_agent="stratus-red-team_732725b0-228d-4d40-af0c-481353f8665b", user_arn="arn:aws:iam::111111111111:user/console", vendor_region="us-west-2"