AWS Cloud Attack

IBM QRadar helps you monitor your Amazon Web Services (AWS) cloud environment so that you can quickly detect high-risk misconfiguration, targeted threats, and exploitation of cloud resources.

The AWS Cloud attack use case shows how QRadar detects a suspicious login to Amazon Web Services (AWS), followed by the creation of a high volume of Amazon Elastic Compute Cloud (EC2) instances, and the potential data exfiltration from an Amazon Simple Storage Service (S3) bucket.

The simulated attack starts with the mail server information message, indicating a potential spam email with a suspicious attachment. Shortly after the attachment is opened, QRadar detects a series of events that contribute to a single offense, which might indicate that an active threat is occurring.

Simulating the threat

To see how QRadar detects the AWS Cloud Attack, watch the AWS Cloud Attack simulation video.

To run the simulation in QRadar, follow these steps:
  1. On the Log Activity tab, click Show Experience Center.
  2. Click Threat simulator.
  3. Locate the AWS Cloud Attack simulation and click Run.
On the Log Activity tab, you can see the following incoming events that are used to simulate the use case:
Table 1. Incoming events for the AWS Cloud Attack use case
Content Description
Events Mail Server Info Message

Process Create

Console Login

Run Instances

List Buckets

Get Object

Log sources Experience Center: WindowsAuthServer @ IE8WIN7

Experience Center: AWS Syslog @

Experience Center: Cisco IronPort @

The events play in a loop and the same use case repeats multiple times. To stop the simulation, click Stop on the Threat simulator tab.

Detecting the threat: QRadar in action

The Custom Rules Engine (CRE) component of QRadar is responsible for processing incoming events and flows. The CRE compares the events and flows against a collection of tests, which are known as rules, and the rules create offenses when specific conditions are met. The CRE tracks the rule tests and incident counts over time.

Knowing that an offense occurred is only the first step. QRadar makes it easier for you to do an in-depth analysis dive and identify how it happened, where it happened, and who did it. By indexing the offense, all events with the same threat name appear as a single offense.

Investigating the threat

To see the list of QRadar content that contributes to this simulation, including rules, saved searches, offenses, and reference sets, follow these steps:
  1. Open the IBM QRadar Experience Center app.
  2. In the Threat simulator window, click the Read More link for the simulations, and select the type of content that you want to review.

    Alternatively, from the Log Activity tab, you can run the quick search called EC: AWS Cloud Attack Events to view all events that are associated with the offense.