Amazon AWS

Use the IBM® QRadar® Custom Properties for Amazon AWS to closely monitor your Amazon AWS deployment.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Custom Properties for Amazon AWS

IBM Security QRadar Custom Properties for Amazon AWS 5.1.0

The following table shows the custom properties that are new in IBM Security QRadar Custom Properties for Amazon AWS 5.1.0.

Table 1. Custom Properties in IBM Security QRadar Custom Properties for Amazon AWS 5.1.0
Custom Property Optimized Expression
Alert Severity No severity:"(.*?)"
Class Name No class_name:"([^\"]*?)"
Device Name No name:"(.*?)"
Email Yes email_addr:"([^\"]*?)"
Host Status Yes status_details:"(.*?)"
Message No message:"([^"]*?)"
Method No http_method:"(.*?)"
Policy Name Yes 'policy:\{"(.*?)"\}
Response Code No http_response:\{"code":(\d+)\}
Service Name Yes

svc_name:"([^"]*?)"

svc_name:"(.*?)"
Status Code Yes status_code:"(.*?)"
Status ID No status_id:"(.*?)"
Type No

type:"([^\"]*?)"

type_name:"([^\"]*?)"
URL Host Yes hostname:"([^"]*?)"
User Agent No user_agent:"([^"]*?)"
Vendor No vendor_name:"(.*?)"

(Back to top)

IBM Security QRadar Custom Properties for Amazon AWS 5.0.1

The following table shows the custom properties that are new in IBM Security QRadar Custom Properties for Amazon AWS 5.0.1.

Table 2. Custom Properties in IBM Security QRadar Custom Properties for Amazon AWS 5.0.1
Custom Property Optimized Capture Group JSON Expression
Profile Yes N/A

/"requestParameters"/"instanceProfileName"

/"requestParameters"/"iamInstanceProfile"/"name"

The Originating Host custom property type is changed to "string".

All rules, reports, and saved searches have been removed and added to the IBM Security QRadar Content Extension for Hybrid Cloud Use Cases.

(Back to top)

IBM Security QRadar Custom Properties for Amazon AWS 5.0.0

The following table shows the custom properties that are updated in IBM Security QRadar Custom Properties for Amazon AWS 5.0.0 for use with the AWS Network Firewall DSM.

Table 3. Custom Properties in IBM Security QRadar Custom Properties for Amazon AWS 5.0.0
Custom Property Optimized Capture Group Regex
Action Yes 1 action":"(.*?)"
Bytes No 1 bytes":(\d+)
Packets No 1 pkts":(\d+)
Signature ID No 1 signature_id":(\d+)
Violation Signatures No 1 signature":"(.*?)"

The following table shows the rules that are new or updated in IBM Security QRadar Custom Properties for Amazon AWS 5.0.0.

Table 4. Rules in IBM Security QRadar Custom Properties for Amazon AWS 5.0.0
Name Description
AWS Cloud: Detected A Successful Login To AWS Console From Different Geographies Detects if the same username will login to Amazon AWS Management console from different source geographies, may indication shared or stolen credentials.
AWS Cloud: Multiple Console Login Failures From Different Source Ips Looks for login failures to the AWS Console 25 times in 2 minutes, from different source IP addresses.
AWS Cloud: Multiple Console Login Failures from Same Source IP Detects login failures to AWS management console, and triggers an offense if at least 5 login failures happen from the same source IP address in 2 minutes

(Back to top)

IBM Security QRadar Custom Properties for Amazon AWS 4.1.0

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties for Amazon AWS 4.1.0.

Table 5. Custom Properties in IBM Security QRadar Custom Properties for Amazon AWS 4.1.0
Custom Property Optimized Capture Group Regex
Request URI Yes 1 \buri[":]+"([^"]*)"
User Agent No 1 \buser-agent[",]+value[":]+"([^"]*)" is now (?i)\buser-agent[",]+value[":]+"([^"]*)"

(Back to top)

IBM Security QRadar Custom Properties for Amazon AWS 4.0.0

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties for Amazon AWS 4.0.0.

Table 6. Custom Properties in IBM Security QRadar Custom Properties for Amazon AWS 4.0.0
Custom Property Optimized Capture Group Regex or JSON expression
Access Key ID Yes   \bType":\s*?"AwsIamAccessKey",.*?"Id":\s*?"([^\"]*?)"
Account ID No 1 /"detail"/"findings"[0]/"AwsAccountId"

\baccount_id[":]+([^"]*)"
Action Yes 1 /"detail"/"findings"[0]/"ProductFields"/"action/actionType"

\bfirewall_rule_action[\"\:]+([^\"]+)
Alert Severity No   /"detail"/"findings"[0]/"ProductFields"/"aws/securityhub/SeverityLabel"
API Path No   /"detail"/"findings"[0]/"ProductFields"/"action/awsApiCallAction/api"
DNS Request Type No 1 \bquery_type[":]+([^"]*)"

(?:Z[\s\t][a-zA-Z0-9]+[\s\t][^\s]+[\s\t])(\w+)
Domain No 1 \bquery_name[":]+([^"]*)"

(?:Z[\s\t][a-zA-Z0-9]+[\s\t])([^\s]+)
Domain List No 1 \bfirewall_domain_list_id[\"\:]+([^\"]+)
GroupID Yes 1 \bfirewall_rule_group_id[\"\:]+([^\"]+)
Image ID Yes   /"detail"/"findings"[0]/"Resources"[0]/"Details"/"AwsEc2Instance"/"ImageId"
Instance Size Type Yes   /"detail"/"findings"[0]/"Resources"[0]/"Details"/"AwsEc2Instance"/"Type"
Instance ID Yes 1 \binstance[\"\:]+([^\"]+)
IP Protocol No 1 (?:Z[\s\t][a-zA-Z0-9]+[\s\t][^\s]+[\s\t]\w+[\s\t]\w+[\s\t])(\w+)

\btransport[":]+([^"]*)"
Machine ID Yes   /"detail"/"findings"[0]/"Resources"[0]/"Id"
Message No   /"detail"/"findings"[0]/"Title"
MessageID Yes   /"detail"/"findings"[0]/"Id"
Method No 1 \bhttpMethod[":]+"([^"]*)"
Originating Host Yes 1 \bsrcaddr[":]+([^"]*)"
Region Yes 1 /"region"

\bregion[":]+([^"]*)"
Request Destination No 1 \bsec-fetch-dest[",]+value[":]+"([^"]*)"
Request Mode No 1 \bsec-fetch-mode[",]+value[":]+"([^"]*)"
Request Site No 1 \bsec-fetch-site[",]+value[":]+"([^"]*)"
Request URI No 1 \buri[":]+"([^"]*)"
Response Code No 1 \brcode[":]+([^"]*)"

(?:Z[\s\t][a-zA-Z0-9]+[\s\t][^\s]+[\s\t]\w+[\s\t])(\w+)
Source Country No 1 \bcountry[":]+"([^"]*)"
Subnet ID Yes   /"detail"/"findings"[0]/"Resources"[0]/"Details"/"AwsEc2Instance"/"SubnetId"
User Agent No 1 \buser-agent[",]+value[":]+"([^"]*)"
VPC ID Yes 1 /"detail"/"findings"[0]/"Resources"[0]/"Details"/"AwsEc2Instance"/"VpcId"

\bvpc_id[":]+([^"]*)"

The following reference sets are removed in IBM Security QRadar Custom Properties for Amazon AWS 4.0.0.

  • AWS - Admin Groups
  • AWS - Admin Roles
  • AWS - Admin Users
  • AWS - Critical EC2 Instance IDs
  • AWS - Instance Image IDs
  • AWS - Standard Users
  • AWS - VPC IDs

The following rules are removed in IBM Security QRadar Custom Properties for Amazon AWS 4.0.0.

  • AWS Cloud: Network ACL Changes 
  • AWS Cloud: A Signing Certificate Has Been Removed 
  • AWS Cloud: An EC2 Instance Has Been Created From A Non-Standard Amazon Machine Image (AMI) 
  • AWS Cloud: An EC2 Instance Has Been Created In A Non-Standard VPC or without VPC
  • AWS Cloud: Cloud activity by root user 
  • AWS Cloud: Critical EC2 Instance Has Been Stopped OR Terminated
  • AWS Cloud: Group has been Created or Deleted
  • AWS Cloud: Key Pair Management configuration changes
  • AWS Cloud: Multiple Failed API Requests From Different Source Ips
  • AWS Cloud: Network Gateway Changes
  • AWS Cloud: Password Policy Updated 
  • AWS Cloud: Routing Table Changes
  • AWS Cloud: S3 Bucket accessed by Non-Standard User
  • AWS Cloud: S3 Bucket has been created
  • AWS Cloud: S3 Bucket has been deleted
  • AWS Cloud: S3 Bucket Policy changes 
  • AWS Cloud: Security Group Configuration changes
  • AWS Cloud: User added to a Group with Admin Role Capability
  • AWS Cloud: User Profile Updated
  • AWS Cloud: User who has no admin rights accesses an Admin Role
  • AWS Cloud: VPC Configuration Changes 

The following searches are removed in IBM Security QRadar Custom Properties for Amazon AWS 4.0.0.

  • AWS S3 Buckets Created

The following reports are removed in IBM Security QRadar Custom Properties for Amazon AWS 4.0.0.

  • AWS S3 Buckets Created - Monthly
  • AWS S3 Buckets Created - Weekly
  • AWS S3 Buckets Deleted - Monthly
  • AWS S3 Buckets Deleted - Weekly

(Back to top)

IBM Security QRadar Custom Properties for Amazon AWS 3.0.0

IBM Security QRadar Custom Properties for Amazon AWS 3.0.0 adds custom properties to use with Amazon Elastic Kubernetes Service.

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties for Amazon AWS 3.0.0.

Table 7. Custom Properties in IBM Security QRadar Custom Properties for Amazon AWS 3.0.0
Custom Property Optimized Capture Group Regex
API Path No 1 /"requestURI"
Container Image No 1 /"requestObject"/"spec"/"containers"[0]/"image"
Container Name No 1 /"requestObject"/"spec"/"containers"[0]/"name"
MessageID Yes 1 /"auditID"
Namespace Yes 1 /"objectRef"/"namespace"

objectRef[":{]+resource[":]+namespaces+[":]+,["]+name":"(.*?)"
Priviliged Container Yes 1 securityContext[":{]+privileged[":]+(true)
Privileged Container Name No 1 securityContext[":{]+privileged[":]+true}+,[":{]+name":"(.*?)"
Process CommandLine Yes 1 command=(.*?)container=
Reason Yes 1 /"responseStatus"/"reason"
Resource Yes 1 /"objectRef"/"resource"
Resource Name Yes 1 /"objectRef"/"name"
Role Yes 1 /"requestObject"/"roleRef"/"name"
Role Actions Yes 1 /"requestObject"/"rules"[0]/"verbs"[]
Role Assigned Resources Yes 1 /"requestObject"/"rules"[0]/"resources"[]
Source Mount Point Yes 1 volumeMounts":[{.*?"mountPath[":]+([^"]+)
Target User Name Yes 1 "subjects":[{.*?"name":"([^"]+)"
User Agent No 1 /"userAgent"

(Back to top)

IBM Security QRadar Custom Properties for Amazon AWS 2.0.0

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties for Amazon AWS 2.0.0.

Table 8. Custom Properties in IBM Security QRadar Custom Properties for Amazon AWS 2.0.0
Custom Property Optimized Capture Group Regex
Action Yes 1 (?:http|ftp|tcp|ssl|https).*?\".*\"\s+.*?\s+\d+\s+.*?\s"(.*?)"\s
BytesReceived Yes 1 \s(\d+)\s(\d+)\s"(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH)
BytesSent Yes 1 \s(\d+)\s"(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH)
Certificate No 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?\"\s".*?"\s.*?\s.*?\s.*?\s".*?"\s".*?"\s"(.*?)"\s
Cipher No 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?\"\s".*?"\s(.*?)\s
Classification No 1 (?:http|ftp|tcp|ssl|https).*?\".*\"\s+.*?\s+\d+\s+.*?\s+".*?"\s+".*?"\s+".*?"\s+.*?\s+".*?"\s+"(.*?)"\s+
Error Code Yes 1 (?:http|ftp|tcp|ssl|https).*?\".*\"\s+.*?\s+\d+\s+.*?\s+".*?"\s+".*?"\s+"(.*?)"\s+
Finding ID No 1 detail":.*?id":"(.*?)"
Group Name Yes 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?\"\s".*?"\s.*?\s.*?\s(.*?)\s
Method No 1 (GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH)
Reason Yes 1 (?:http|ftp|tcp|ssl|https).*?\".*\"\s+.*?\s+\d+\s+.*?\s+".*?"\s+".*?"\s+".*?"\s+.*?\s+".*?"\s+".*?"\s+"(.*?)"
Redirect URL No 1 (?:http|ftp|tcp|ssl|https).*?\".*\"\s+.*?\s+\d+\s+.*?\s+".*?"\s+"(.*?)"\s+
Resource ID No 1 (?:http|https|h2|grpcs|ws|wss)\s+.*?\s(.*?)\s
Response Code No 1 \s(\d+)\s(\d+)\s(\d+)\s(\d+)\s"(?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH)
Rule ID No 1 (?:http|ftp|tcp|ssl|https).*?\".*\"\s+.*?\s+(\d+)\s
TLS or SSL protocol level No 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?\"\s".*?"\s.*?\s(.*?)\s
Transaction ID No 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?\"\s".*?"\s.*?\s.*?\s.*?\s"(.*?)"\s
URL Query String No 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH)\s([^\;\s]+)
UrlHost Yes 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?\"\s".*?"\s.*?\s.*?\s.*?\s".*?"\s"(.*?)"\s
User Agent No 1 (?:GET|POST|CONNECT|TUNNEL|HEAD|PUT|DELETE|OPTIONS|TRACE|PATCH).*?\"\s"(.*?)"

(Back to top)

IBM Security QRadar Custom Properties for Amazon AWS 1.4.0

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties for Amazon AWS 1.4.0.

Table 9. Custom Properties in IBM Security QRadar Custom Properties for Amazon AWS 1.4.0
Custom Property Optimized Capture Group Regex or JSON
Access Key ID Yes   /"userIdentity"/"accessKeyId"
Alert Severity No 1 "severity":(\d+)
Audit Flags Yes   /"requestParameters"/"setAsDefault"
Machine ID Yes 1 instanceId\"\:\s*\"([^\"]+)
MFA Used Yes   /"additionalEventData"/"MFAUsed"
Role Name Yes 1 \buserType":"AssumedRole","userName":"(.*?)"

assumed-role\/(.*?)\/

\bdisassociating.*?iamInstanceProfile".*?arn":".*?\/(.*?)"

/"requestParameters"/"AssociateIamInstanceProfileRequest"/"IamInstanceProfile"/"Name"
Target Access Key ID Yes   /"responseElements"/"credentials"/"accessKeyId"
Volume ID Yes   /"requestParameters"/"volumeId"

The Group Account Name custom property was removed.

The following table shows the reference data that is new or updated in IBM Security QRadar Custom Properties for Amazon AWS 1.4.0.

Table 10. Reference Data in IBM Security QRadar Custom Properties for Amazon AWS 1.4.0
Type Name Description
Reference Set AWS - Audit Events Updated to fix broken linkage due to missing elements..
Reference Set AWS - VPC Events Updated to fix broken linkage due to missing elements..

The following table shows the saved searches that are new or updated in IBM Security QRadar Custom Properties for Amazon AWS 1.4.0.

Table 11. Saved Searches in IBM Security QRadar Custom Properties for Amazon AWS 1.4.0
Name Description
S3 Bucket has been created Updated to use a rule instead of the event in the search filter.
S3 Bucket has been deleted Updated to use a rule instead of the event in the search filter.

All saved searches are updated to use Source Address or Destination Address rather than Source IP or Destination IP.

(Back to top)

IBM Security QRadar Custom Properties for Amazon AWS 1.3.0

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties for Amazon AWS 1.3.0.

Table 12. Custom Properties in IBM Security QRadar Custom Properties for Amazon AWS 1.3.0
Custom Property Optimized Capture Group Regex
AccountID No 1 "accountId":\s+"(\d*?)",
Blocked No 1 "blocked":\s+([a-z]+)
Group Name Yes 1 "groupName":\s+"(.*?)"
GroupID Yes 1 "groupId":\s+"(.*?)"
Image ID Yes 1 "imageId":\s+"(.*?)",
Instance Size Type Yes 1 "instanceType":\s+"(.*?)",
Instance State No 1 "instanceState":\s+"(.*?)",
InstanceID Yes 1 "instanceId":\s+"(.*?)"
Message No 1 "title":\s+"(.*?)"
Region Yes 1 "region":\s+"(.*?)",
Resource ID No 1 "partition":.+"id":\s+"(.*?)",\s+"arn":
Resource Role No 1 "resourceRole":\s+"(.*?)"
Threat Name Yes 1 "threatName":\s+"(.*?)",
UserType Yes 1 "userType":\s+"(.*?)",
VPC ID Yes 1 "vpcId":\s+"(.*?)"

(Back to top)

IBM Security QRadar Custom Properties for Amazon AWS 1.2.7

The UserAdded custom property was merged with the Target User Name custom property. The AWS User Account Created saved search now uses the Target User Name custom property.

The Account ID custom property type was set to AlphaNumeric.

(Back to top)

IBM Security QRadar Custom Properties for Amazon AWS 1.2.6

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties for Amazon AWS 1.2.6.

Table 13. Custom Properties in IBM Security QRadar Custom Properties for Amazon AWS 1.2.6
Custom Property Optimized Enabled Regex Event Name
Machine ID Yes Yes instanceId":\s*"([^"]+)  
Public Permission Yes Yes \/groups\/global.*?"},"Permission":\s*\"(FULL_CONTROL|READ|WRITE_ACP)\" Put Object Acl

Put Bucket Acl
Role Name Yes Yes "policyArn":".?/(.?)" Attach User Policy
Target User Name Yes Yes "invokedBy":"(.*?)"

"userName":"(.*?)"

 Attach User Policy

(Back to top)

IBM Security QRadar Custom Properties for Amazon AWS 1.2.5

The following table shows the custom properties that are updated in IBM Security QRadar Custom Properties for Amazon AWS 1.2.5.

Table 14. Updated Custom Properties in IBM Security QRadar Custom Properties for Amazon AWS 1.2.5
Custom Property Optimized Enabled Regex Event Name
Filename Yes Yes key\"\:\"([^\"]+) Put Object Acl

The saved searches in IBM Security QRadar Custom Properties for Amazon AWS 1.2.5 are shared with everyone.

(Back to top)

IBM Security QRadar Custom Properties for Amazon AWS 1.2.4

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties for Amazon AWS 1.2.4.

Table 15. Custom Properties in IBM Security QRadar Custom Properties for Amazon AWS 1.2.4
Name Optimized Capture Group Regex
AccountID No

No

 1

1

 accountId=(.*?)\t

\"accountId\"\:\"(\d*?)\"
Environment Type Yes 1 \"eventType\":\"(.*?)\"
File Extension Yes 1 key\"\:\"[^\"]+\.([^\"]+)
Filename Yes 1 key\"\:\"([^\"]+)
Instance State No 1 \"instanceState\":\{\"code\":(\d+),
Public Permission Yes 1 \/groups.*?"},"Permission":\s*\"(FULL_CONTROL|READ|WRITE_ACP)\"
Region Yes 1

awsRegion=(.*?)\t
Resource ID No 1 \"resourceId\":\"(.*?)\"
Storage Name Yes 1 \"bucketName\":\"(.*?)\"
User Agent No

No

 1

1

 \"userAgent\":\"(.*?)\"

userAgent=(.*?)\t
UserType Yes 1 userIdentity.type=(.*?)\t
VPC ID Yes 1 vpcId=(.*?)\t

(Back to top)

IBM Security QRadar Custom Properties for Amazon AWS 1.2.3

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties for Amazon AWS 1.2.3.

Table 16. Custom Properties in IBM Security QRadar Custom Properties for Amazon AWS 1.2.3
Name Capture Group Regex
InstanceID 1 instanceId\"\:\s*\"([^\"]+)
Target User Name 1 requestParameters[\"\:\{\.]*userName[\"\:]*([^\"]+)
Policy Name 1

1

 policyName\"\:\"([^\"]+)

policyArn\"\:\"([^\"]+)
Error Code 1

1

1

 \"errorCode\":\"([^\"]+)

\"ConsoleLogin\"\:\"([^\"]+)

"errorMessage":"([^\"]+)
Event Type 1 eventType=(.*?)\t
EventName 1 "eventName"\:\"([^\"]+)
UserType 1 "type":"([^\"]+)

The User Policy Name custom property was removed in this release.

The Action custom property was renamed to Error Code.

The following table shows the rules that are new or updated in IBM Security QRadar Custom Properties for Amazon AWS 1.2.3.

Table 17. Rules in IBM Security QRadar Custom Properties for Amazon AWS 1.2.3
Name Description
AWS Cloud: A Signing Certificate Has Been Removed Updated the summary.
AWS Cloud: An EC2 Instance Has Been Created In A Non-Standard VPC or without VPC Updated the rule description.
AWS Cloud: An EC2 Instance Has Been Created From A Non-Standard Amazon Machine Image (AMI) Updated the rule name and the rule response.
AWS Cloud: Cloud activity by root user Updated the rule index, and added a response limiter.
AWS Cloud: An EC2 Instance Has Been Created with Large Specifications Used to be called AWS Cloud: Large Instance Running.

Added the following rule test:

and when the event matches "Instance Size Type" in ('m5.4xlarge','m5.12xlarge','m5.24xlarge','m4.4xlarge',
'm4.10xlarge','m4.16xlarge','c5d.4xlarge','c5d.9xlarge',
'c5d.18xlarge') AQL filter query
AWS Cloud: Multiple Console Login Failures From Different Source IPs Updated the rule name and tests, and changed the rule index.
AWS Cloud: Multiple Console Login Failures from Same Source IP Updated the rule name and tests.
AWS Cloud: Detected a Successful Login To AWS Console From Different Geographies Used to be called AWS Cloud: Multiple Logins Attempts to AWS Console From Different Geographies.

Updated the rule name and tests, and changed the rule index.
AWS Cloud: Detected A Change To AWS Trail Logging Configurations Updated the rule name.
AWS Cloud: Logs Have Been Deleted / Disabled or Stopped Used to be called AWS Cloud: Cloud Trail Deleted.

Updated the rule name and added the following related events:

  • (88750492) Disable Logging
  • (88750787) Stop Logging
  • (88750873) Delete Flow Logs
BB: AWS Cloud Read Attempt Error Code Used to be called BB: AWS Cloud Read Attempt Error Code.

Replaced the regex condition with equals any operator. Added the Client.UnauthorizedOperation error code.
AWS Cloud: Multiple Failed API Requests From Same Source IP Used to be called AWS Cloud: Multiple Failed Read Attempts from same Source IP.
AWS Cloud: Multiple Failed API Requests From The Same Username Used to be called AWS Cloud: Multiple Failed Read Attempts from the same Username.

Changed the rule index to be indexed by the username.
AWS Cloud: Multiple Failed API Requests From Different Source IPs Used to be called AWS Cloud: Multiple Failed Read Attempts from Different Source Ips.

Changed the rule index to be indexed by the destination IP.
AWS Cloud: Critical EC2 Instance Has Been Stopped OR Terminated Used to be called AWS Cloud: EC2 Instance Deletions and/or Terminations.

Updated the rule name and tests. Now only monitors critical EC2 instances.
AWS Cloud: Password Policy Updated Updated the rule response.
AWS Cloud: VPC Configuration Changes Updated the rule response.
AWS Cloud: Security Group Configuration Changes Updated the rule response.
AWS Cloud: User who has no admin rights accesses an Admin Role Updated the rule response.
AWS Cloud: S3 Bucket has been created Updated the rule response.
AWS Cloud: S3 Bucket Policy changes Updated the rule response.
AWS Cloud: Network ACL Changes Updated the rule response.
AWS Cloud: S3 Bucket accessed by Non-Standard User Updated the rule response.
AWS Cloud: User Profile Updated Updated the rule response.
AWS Cloud: Group has been Created or Deleted Updated the rule response.
AWS Cloud: S3 Bucket has been deleted Updated the rule response.
AWS Cloud: Network Gateway Changes Updated the rule response.
AWS Cloud: Key Pair Management configuration changes Updated the rule response.
AWS Cloud: Routing Table Changes Updated the rule response.
AWS Cloud: User added to a Group with Admin Role Capability Updated the rule response.

The AWS Cloud: EC2 Instance Running State Change rule was removed in this release.

The following table shows the reference data that is new or updated in IBM Security QRadar Custom Properties for Amazon AWS 1.2.3.

Table 18. Reference Data in IBM Security QRadar Custom Properties for Amazon AWS 1.2.3
Type Name Description
Reference Set AWS - Admin Groups Removed the adamiak-group test entry.
Reference Set AWS - Admin Roles Removed the admin-adamiak-test test entry.

(Back to top)

IBM Security QRadar Custom Properties for Amazon AWS 1.2.2

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties for Amazon AWS 1.2.2.

Table 19. Custom Properties in IBM Security QRadar Custom Properties for Amazon AWS 1.2.2
Name Optimized Capture Group Regex
Account Name Yes 1 \"userName\".+\"userName\"\:\"([^\"\}]+)
Action Yes 1 \"ConsoleLogin\"\:\"([^\"]+)
Error Code Yes 1 \"errorCode\":\"([^\"]+)
EventName Yes 1 eventName\:\"([^\"]+)
Federated User Yes 1 federated-user/([^\"]+)
Group Account Name Yes 1 userName.+userName\"\:\"([^\s"]+)
Group Name Yes 1 groupName\"\:\"([^\s"]+)
Image ID Yes 1 imageId\"\:\"([^\"]+)
Instance Size Type Yes 1 instanceType\"\:\"([^\"]+)
Policy Name Yes 1 policyArn\"\:\"([^\"]+)
Region Yes 1 awsRegion\"\:\"([^\"]+)
Role Name Yes 1 \"roleName\"\:\"([^\"]+)
User Policy Action Yes 1 policyName\"\:\"([^\"]+)
User Added Yes 1 \"requestParameters.userName\"\:\"([^\"]+)
UserType Yes 1 type:"([^\"]+)
VPC ID Yes 1 vpcId\"\:\"([^\"]+)

The following table shows the rules and building blocks that are new or updated in IBM Security QRadar Custom Properties for Amazon AWS 1.2.2.

Table 20. Rules and Building Blocks in IBM Security QRadar Custom Properties for Amazon AWS 1.2.2
Type Name Description
Building Block BB: AWS Cloud Read Attempt Error Code Used by the Read Attempt rules and returns an Access Denied parameter.
Rule AWS Cloud: Password Policy Updated Detects when a password policy has been updated.
Rule AWS Cloud: VPC Configuration Changes Detects additions and changes to VPCs and VPC attributes.
Rule AWS Cloud: EC2 Instance Running State Change Detects running, rebooting, starting instances.
Rule AWS Cloud: Cloud Trail Deleted Detects Amazon AWS Cloud Trail log being deleted.
Rule AWS Cloud: Cloud activity by root user Detects Amazon AWS activity by the root user.  Logging in as root hides the true identity of the user.
Rule AWS Cloud: Large Instance Running Detects when a large EC2 instance is started.
Rule AWS Cloud: Security Group Configuration changes Detects changes to security group configurations, additions/deletions of rules and groups.
Rule AWS Cloud: Changes made to Cloud Trail Log or its Configuration Detects configuration changes to the AWS Cloud Trail logs.
Rule AWS Cloud: Multiple Failed Console Logins from Same Source IP Detects failed log in to the AWS Console 5 times in 2 minutes, from the same source IP.
Rule AWS Cloud: Multiple Failed Console Logins from Different Source IPs Detects failed log in to the AWS Console 25 times in 2 minutes, from different source IPs.
Rule AWS Cloud: User who has no admin rights accesses an Admin Role Detects when a user who does not have admin rights is able to attach to an admin role.
Rule AWS Cloud: Multiple Failed Read Attempts from same Source IP Detects multiple AWS configuration read events from the same source IP in a certain amount of time.
Rule AWS Cloud: Multiple Failed Read Attempts from same Source IP Detects when an S3 bucket is created.
Rule AWS Cloud: S3 Bucket Policy changes Detects changes to S3 Bucket Policies, access control lists (ACL), cross-origin resource sharing (CORS), and lifecycle policies.
Rule AWS Cloud: EC2 Launched in non-standard VPC or without VPC Detects when instances are launched in non-standard VPCs or EC2 classic without VPCs.
Rule AWS Cloud: Network ACL Changes Detects additions, deletions, and changes to network ACLs.
Rule AWS Cloud: Multiple Failed Read Attempts from Different Source IPs Detects multiple AWS configuration read events from different source IPs in a certain amount of time.
Rule AWS Cloud: Signing Certificate deleted Detects when a signing certificate is deleted.
Rule AWS Cloud: S3 Bucket accessed by Non-Standard User Detects when a user that is not in AWS - Standard Users attempts to retrieve AWS resources.
Rule AWS Cloud: User Profile Updated Detects when a user profile has been updated.
Rule AWS Cloud: Group has been Created or Deleted Detects when a group is created or deleted.
Rule AWS Cloud: S3 Bucket has been deleted Detects when an S3 bucket or its contents are deleted. Lifecycle, replication, CORS, and other policies.
Rule AWS Cloud: Multiple Console Logins Attempts from Different Geographies Detects when the same user has attempted to log in to the AWS console multiple times from different source geographies. This could represent shared or stolen credentials.
Rule AWS Cloud: Network Gateway Changes Detects additions, deletions, and changes to network gateway configurations in EC2 instances.
Rule AWS Cloud: Key Pair Management configuration changes Detects newly generated keys, deleted keys, encryption, or decryption activities and creates events or alerts depending on severity.
Rule AWS Cloud: EC2 Instance Deletions and/or Terminations Detects stopping and terminating instances.
Rule AWS Cloud: EC2 launched from non-standard image Detects when an instance runs with an image ID that does not match the list of standard images.
Rule AWS Cloud: Multiple Failed Read Attempts from the same Username Detects multiple AWS configuration read events from the same user in a certain amount of time.
Rule AWS Cloud: Routing Table Changes Detects when a new subnet has been associated or deleted from an existing route table.
Rule AWS Cloud: User added to a Group with Admin Role Capability Detects when a user is added to a group that has admin role capabilities.

The following table shows the reports that are new or updated in IBM Security QRadar Custom Properties for Amazon AWS 1.2.2.

Table 21. Reports in IBM Security QRadar Custom Properties for Amazon AWS 1.2.2
Report Name Search Name and Dependencies
AWS Audit Events - Monthly Saved Search: AWS Audit Events
AWS Audit Events - Weekly Saved Search: AWS Audit Events
AWS Failed Console Logins Federated Users - Monthly Saved Search: AWS Failed Console logins Fed User - Group by username and Source IP
AWS Failed Console Logins Federated Users - Weekly Saved Search: AWS Failed Console logins Fed User - Group by username and Source IP
AWS Failed Console Logins Non-Federated Users - Monthly Saved Search: AWS Failed Console Logins Non-Fed User - Grouped by Username and Source IP
AWS Failed Console Logins Non-Federated Users - Weekly Saved Search: AWS Failed Console Logins Non-Fed User - Grouped by Username and Source IP
AWS Group Auditing - Monthly Saved Search: AWS Group Changes Audit
AWS Group Auditing - Weekly Saved Search: AWS Group Changes Audit
AWS Large EC2 Instances Running - Monthly Saved Search: AWS Large Instances Running
AWS Large EC2 Instances Running - Weekly Saved Search: AWS Large Instances Running
AWS Policy Changes Audit - Monthly Saved Search: AWS Policy Change Audit
AWS Policy Changes Audit - Weekly Saved Search: AWS Policy Change Audit
AWS Role Creation, Deletions and Updates - Weekly Saved Search: AWS Role Creations, Deletions and Updates
AWS Role Creations, Deletions and Updates - Monthly Saved Search: AWS Role Creations, Deletions and Updates
AWS S3 Buckets Created - Monthly Saved Search: AWS S3 Buckets Created
AWS S3 Buckets Created - Weekly Saved Search: AWS S3 Buckets Created
AWS S3 Buckets Deleted - Monthly Saved Search: AWS S3 Buckets Deleted
AWS S3 Buckets Deleted - Weekly Saved Search: AWS S3 Buckets Deleted
AWS Security Group Ingress - Monthly Saved Search: AWS Security Group Ingress
AWS Security Group Ingress - Weekly Saved Search: AWS Security Group Ingress
AWS Successful Console Logins Federated Users - Monthly Saved Search: AWS Success Console logins Fed User - Group by username and Source IP
AWS Successful Console Logins Federated Users - Weekly Saved Search: AWS Success Console logins Fed User - Group by username and Source IP
AWS Successful Console Logins Non-Federated Users - Monthly Saved Search: AWS Success Console logins Non-Fed User - Group by username and Source IP
AWS Successful Console Logins Non-Federated Users - Weekly Saved Search: AWS Success Console logins Non-Fed User - Group by username and Source IP
AWS User Account Created - Monthly Saved Search: AWS User Account Created
AWS User Account Created - Weekly Saved Search: AWS User Account Created
AWS VPC Event Audit - Monthly Saved Search: AWS VPC Audit Event
AWS VPC Event Audit - Weekly Saved Search: AWS VPC Audit Event

The following table shows the reference data that is new or updated in IBM Security QRadar Custom Properties for Amazon AWS 1.2.2.

Table 22. Reference Data in IBM Security QRadar Custom Properties for Amazon AWS 1.2.2
Type Name
Reference Set AWS - VPC IDs
Reference Set AWS - Admin Groups
Reference Set AWS - Admin Users
Reference Set AWS - Admin Roles
Reference Set AWS - Instance Image IDs
Reference Set AWS - Standard Users
Reference Set AWS - Audit Events

The following table shows the saved searches that are new or updated in IBM Security QRadar Custom Properties for Amazon AWS 1.2.2.

Table 23. Saved Searches in IBM Security QRadar Custom Properties for Amazon AWS 1.2.2
Name Description
AWS S3 Bucket Created This saved search is used in the S3 Buckets Created reports.
AWS S3 Bucket Deleted This saved search is used in the S3 Buckets Deleted reports.
AWS Large Instances Running This saved search is used in the Large EC2 Instances Running reports.
AWS VPC Audit Event This saved search is used in the AWS VPC Event Audit reports.
AWS Failed Console Logins Non-Fed User - Grouped by Username and Source IP This saved search is used in the Failed Console Logins Non-Federated Users reports.
AWS Failed Console logins Fed User - Group by username and Source IP This saved search is used in the Failed Console Logins Federated Users reports.
AWS Security Group Ingress This saved search is used in the Security Group Ingress reports.
AWS Role Creations, Deletions and Updates This saved search is used in the Role reports.
AWS Success Console logins Fed User - Group by username and Source IP This saved search is used in the Successful Console Logins Federated Users reports.
AWS Policy Change Audit This saved search is used in the Policy Change reports.
AWS Group Changes Audit This saved search is used in the Group Changes reports.
AWS Success Console logins Non-Fed User - Group by username and Source IP This saved search is used in the Successful Console Logins Non-Federated Users reports.
AWS Audit Events This saved search is used in the Audit Event reports.
AWS User Account Created This saved search is used in the User Account Created reports.

(Back to top)

IBM Security QRadar Custom Properties for Amazon AWS 1.1.0

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties for Amazon AWS 1.1.0.

Table 24. Custom Properties in IBM Security QRadar Custom Properties for Amazon AWS 1.1.0
Name Regex
User Policy Name policyName\"\:\"([^\"]+)
Instance Size Type instanceType\"\:\"([^\"]+)

The Role custom property was removed in this release.

The following table shows the rules that are new or updated in IBM Security QRadar Custom Properties for Amazon AWS 1.1.0.

Table 25. Rules in IBM Security QRadar Custom Properties for Amazon AWS 1.1.0
Type Name Description
Rule AWS Cloud: Large Instance Running Detects when a large instance is running.
Rule AWS Cloud: Network ACL Changes Detects changes to the Access Control List (ACL).
Rule AWS Cloud: EC2 Instance Deletions and/or Terminations Detects when an EC2 instance is terminated or deleted.
Rule AWS Cloud: VPC Configuration Changes Detects configuration changes made to a Virtual Private Cloud (VPC).
Rule AWS Cloud: S3 Bucket accessed by Non-Standard User Detects access to an S3 bucket by a user that is not listed in the AWS - Standard Users reference set.
Rule AWS Cloud: EC2 Instance Running State Change Detects changes to the running state of an EC2 instance.
Rule AWS Cloud: Key Pair Management configuration changes Detects changes to key pair management configuration.
Rule AWS Cloud: S3 Bucket Policy Detects changes to S3 bucket policies.
Rule AWS Cloud: Security Group Configuration changes Detects changes to security group configuration.
Rule AWS Cloud: Network Gateway Changes Detects changes to the network gateway.
Rule AWS Cloud: S3 Bucket has been deleted Detects when an S3 bucket is deleted.
Rule AWS Cloud: S3 Bucket has been created Detects when an S3 bucket is created.

The following table shows the reference data that are new or updated in IBM Security QRadar Custom Properties for Amazon AWS 1.1.0.

Table 26. Reference Data in IBM Security QRadar Custom Properties for Amazon AWS 1.1.0
Type Name Description
Reference Set AWS - Standard Users A list of your organization's AWS users. This reference set is used by AWS Cloud: S3 bucket accessed by Non-Standard User.

(Back to top)

IBM Security QRadar Custom Properties for Amazon AWS 1.0.0

The following table shows the custom properties in IBM Security QRadar Custom Properties for Amazon AWS 1.0.0.

Table 27. Custom Properties in IBM Security QRadar Custom Properties for Amazon AWS 1.0.0
Name Regex
Region awsRegion\"\:\"([^\"]+)
Account Name \"userName\".+\"userName\"\:\"([^\"\}]+)
Group Name groupName\"\:\"([^\s"]+)
Federated User federated-user/([^\"]+)
UserType "type":"([^\"]+)
UserAdded \"requestParameters.userName\"\:\"([^\"]+)
Action \"ConsoleLogin\"\:\"([^\"]+)
Group Account Name userName.+userName\"\:\"([^\s"]+)
Error Code \"errorCode\":\"([^\"]+)
Role policy_id=(\d+)

The following table shows the rules and building blocks in IBM Security QRadar Custom Properties for Amazon AWS Content Extension 1.0.0.

Table 28. Rules and Building Blocks in IBM Security QRadar Amazon AWS Content Extension 1.0.0
Type Name Description
Building Block BB: AWS Cloud Read Attempt Error Code Used by the Read Attempt rules and returns an Access Denied Parameter.
Rule AWS Cloud: Multiple Failed Console Logins from Different Source IP Detects failed logins to the AWS Console from different source IPs for a total of five times in 2 minutes.
Rule AWS Cloud: Multiple Console Login Attempts from Different Geographies Detects failed logins to the AWS Console from different geographies for a total of five times in 2 minutes.
Rule AWS Cloud: Multiple Failed Console Logins from Same Source IP Detects failed logins to the AWS Console from the same source IP for a total of five times in 2 minutes.
Rule AWS Cloud: Multiple Failed Read Attempts from same Source IP Detects multiple AWS Configuration Read events from the same source IP in a certain amount of time.
Rule AWS Cloud: Cloud Trail Deleted Detects when Amazon AWS Cloud Trail Logs are deleted.
Rule AWS Cloud: Multiple Failed Read Attempts from Different Source IPs Detects multiple AWS Configuration Read events from different source IPs in a certain amount of time.
Rule AWS Cloud: Cloud Activity by root user Detects Amazon AWS activity by the root user. Logging in as root hides the identity of the user.
Rule AWS Cloud: Multiple Failed Read Attempts from the same Username Detects multiple AWS Configuration Read events from the same source IP in a certain amount of time.

The following table shows the reports in IBM Security QRadar Amazon AWS Content Extension 1.0.0.

Table 29. Reports in IBM Security QRadar Amazon AWS Content Extension 1.0.0
Report Name Description
AWS Audit Events - Monthly Provides greater monitoring and trending of AWS audit activities.
AWS Audit Events - Weekly Provides greater monitoring and trending of AWS audit activities.
AWS Failed Console Logins Federated Users - Monthly Provides greater monitoring and trending of AWS login activities.
AWS Failed Console Logins Federated Users - Weekly Provides greater monitoring and trending of AWS login activities.
AWS Failed Console Logins Non-Federated Users - Monthly Provides greater monitoring and trending of AWS login activities.
AWS Failed Console Logins Non-Federated Users - Weekly Provides greater monitoring and trending of AWS login activities.
AWS Group Auditing - Monthly Provides greater monitoring and trending of AWS group auditing activities.
AWS Group Auditing - Weekly Provides greater monitoring and trending of AWS group auditing activities.
AWS Policy Changes Audit - Monthly Provides greater monitoring and trending of AWS policy change activities.
AWS Policy Changes Audit - Weekly Provides greater monitoring and trending of AWS policy change activities.
AWS Role Creation, Deletions and Updates - Monthly Provides greater monitoring and trending of AWS role activities.
AWS Role Creation, Deletions and Updates - Weekly Provides greater monitoring and trending of AWS role activities.
AWS - Security Group Ingress - Monthly Provides greater monitoring and trending of AWS security group ingress activities.
AWS Security Group Ingress - Weekly Provides greater monitoring and trending of AWS security group ingress activities.
AWS Successful Console Logins Federated Users - Monthly Provides greater monitoring and trending of AWS login activities.
AWS Successful Console Logins Federated Users - Weekly Provides greater monitoring and trending of AWS login activities.
AWS Successful Console Logins Non-Federated Users - Monthly Provides greater monitoring and trending of AWS login activities.
AWS Successful Console Logins Non-Federated Users - Weekly Provides greater monitoring and trending of AWS login activities.
AWS User Account Created - Monthly Provides greater monitoring and trending of AWS user account creation activities.
AWS User Account Created - Weekly Provides greater monitoring and trending of AWS user account creation activities.
AWS VPC Event Audit - Monthly Provides trending for events from the Amazon Virtual Private Cloud.
AWS VPC Event Audit - Weekly Provides trending for events from the Amazon Virtual Private Cloud.

The following table shows the reference data in IBM Security QRadar Amazon AWS Content Extension 1.0.0.

Table 30. Reference Data in IBM Security QRadar Amazon AWS Content Extension 1.0.0
Type Name Description
Reference Set AWS_Audit_Events A set of AWS Audit events (QIDs) that are used by the AWS Audit Events search/report. Users can add or delete according to their environment.

The following table shows the saved searches in IBM Security QRadar Amazon AWS Content Extension 1.0.0.

Table 31. Saved Searches in IBM Security QRadar Amazon AWS Content Extension 1.0.0
Name Description
AWS - User Account Created This saved search is used in the User Account Created reports.
AWS - Group Changes Audit This saved search is used in the Group Changes reports.
AWS - Security Group Ingress This saved search is used in the Security Group Ingress reports.
AWS Success Console logins Fed User - Group by username and Source IP This saved search is used in the Successful Console Logins Federated Users reports.
AWS Success Console logins Non-Fed User - Group by username and Source IP This saved search is used in the Successful Console Logins Non-Federated Users reports.
AWS Failed Console Logins Non-Fed User - Grouped by username and Source IP This saved search is used in the Failed Console Logins Non-Federated Users reports.
AWS Failed Console logins Fed User - Group by username and Source IP This saved search is used in the Failed Console Logins Federated Users reports.
AWS Role Creation, Deletions, and Updates This saved search is used in the Role reports.
AWS Policy Change Audit This saved search is used in the Policy Change reports.
AWS Events to Audit This saved search is used in the Audit Event reports.
AWS VPC Audit Event This saved search is used in the AWS VPC Event Audit reports.

(Back to top)