Skip to content

Commit

Permalink
add search account
Browse files Browse the repository at this point in the history
  • Loading branch information
talaviss-r7 committed Mar 20, 2024
1 parent 06ae1ab commit c0e4775
Showing 1 changed file with 7 additions and 7 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,7 @@ Wait for like 5 minutes until all resources are created

CFT needs to run for **at least 24 hours** to let Anomaly Engine getting solid base line profiles

After running the CFT you should see:
After running the CFT you should see following rows appear in CFT stack:
![Cloud formation after running](img/CFT.png)

Click the resources tab of the stack that ran the CFT you should see the following resources created in status CREATE_COMPLETE
Expand All @@ -139,7 +139,6 @@ Click the resources tab of the stack that ran the CFT you should see the followi
- PermissionForLambdaEvent



## Running the actual attack Cloud Formation table

The attack is a malicious lambda which uses the previous role,
Expand All @@ -159,7 +158,7 @@ Continuing choose the following options:
* Template is ready
* upload a template file
* Click the choose file button
* Choose the CFT-Trailblazer-Demo-Start-Unusual-DB-Activity.yaml
* Choose the CFT-Trailblazer-Demo-S3-Account-Search.yaml
* Click the next button
* Enter unique descriptive stack name
* Click the next button
Expand All @@ -178,11 +177,12 @@ Navigate to the ICS UI and refresh the page and perform the needed advanced filt

Verify you see in threat findings UI detections of finding type
``` txt
API Activity: unusual change in count of unique actions
API Activity: unusual DB activity
API Activity: change in count of unauthorized read access attempts
```
with entity_id in the raw json like:
```
my-baseline-start-search-1-AttackSimulationRole-XXXXXX/AssumeRoleSessionTbAttack
```

![threat findings](img/threatFindings.png)

## Remediation and recommendations
#### Social Engineering:
Expand Down

0 comments on commit c0e4775

Please sign in to comment.