What Changed
AWS Solution v3.0.9 delivers extensive quality improvements across the entire detection surface:
Analytic Rules (61 updated):
- Standardized naming convention with AWS prefix for consistent identification
- Normalized MITRE ATT&CK technique IDs and tactic mappings for proper framework alignment
- Updated entity mappings from deprecated AccountCustomEntity/IPCustomEntity to standard UserIdentityUserName/SourceIpAddress fields
- Added version fields and improved metadata consistency across all rules
Hunting Queries (35 updated):
- Applied same standardization improvements as Analytic Rules
- Enhanced KQL reliability using summarize/order by patterns instead of legacy approaches
- Refined projections and clearer time field handling
Workbooks (2 updated):
- Amazon Web Services Network Activities workbook
- Amazon Web Services User Activities workbook
Detection Logic Impact
Entity mapping changes improve correlation accuracy by aligning with current AWS CloudTrail schema expectations. Previously, detections using AccountCustomEntity fields may have produced incomplete entity resolution in incident timelines.
The standardization does not alter core detection thresholds, filters, or data sources — all rules continue monitoring the same AWS CloudTrail events with identical sensitivity.
MITRE Coverage
Updated mappings cover extensive AWS attack surface across:
- Initial Access: T1078 (Valid Accounts), T1190 (Exploit Public-Facing Application)
- Persistence: T1098 (Account Manipulation), T1136.003 (Create Cloud Account)
- Privilege Escalation: T1484 (Domain Policy Modification), T1078.004 (Cloud Accounts)
- Defense Evasion: T1562 (Impair Defenses), T1070 (Indicator Removal)
- Discovery: T1087 (Account Discovery), T1069 (Permission Groups Discovery)
- Impact: T1485 (Data Destruction), T1498 (Network Denial of Service)
Operational Impact
Existing AWS deployments should see improved detection fidelity and reduced false entity mapping. No changes to detection sensitivity or coverage gaps.
Affected Files
.script/tests/KqlvalidationsTests/CustomFunctions/AWSCloudTrail.json
Solutions/Amazon Web Services/Analytic Rules/AWS_APIfromTor.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_ChangeToRDSDatabase.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_ChangeToVPC.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_ClearStopChangeTrailLogs.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_ConfigServiceResourceDeletion.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_ConsoleLogonWithoutMFA.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_CreatedCRUDDyanmoDBPolicytoPrivilegeEscalation.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_CreatedCRUDIAMtoPrivilegeEscalation.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_CreatedCRUDKMSPolicytoPrivilegeEscalation.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_CreatedCRUDLambdaPolicytoPrivilegEscalation.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_CreatedCRUDS3PolicytoPrivilegeEscalation.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_CreatedCloudFormationPolicytoPrivilegeEscalation.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_CreatedDataPipelinePolicytoPrivilegeEscalation.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_CreatedEC2PolicytoPrivilegeEscalation.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_CreatedGluePolicytoPrivilegeEscalation.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_CreatedLambdaPolicytoPrivilegeEscalation.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_CreatedSSMPolicytoPrivilegeEscalation.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_CreationofEncryptKeysWithoutMFA.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_CredentialHijack.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_EC2StartupShellScriptChanged.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_ECRContainerHigh.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_ECRImageScanningDisabled.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_FullAdminPolicyAttachedToRolesUsersGroups.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_GuardDutyDisabled.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_GuardDuty_template.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_IngressEgressSecurityGroupChange.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_LoadBalancerSecGroupChange.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_LogTampering.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_NetworkACLOpenToAllPorts.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_OverlyPermessiveKMS.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationAdminManagedPolicy.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationAdministratorAccessManagedPolicy.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationFullAccessManagedPolicy.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaCRUDIAMPolicy.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaCRUDKMSPolicy.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaCRUDLambdaPolicy.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaCRUDS3Policy.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaCloudFormationPolicy.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaDataPipeline.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaEC2Policy.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaGluePolicy.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaLambdaPolicy.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaSSM.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationviaCRUDDynamoDB.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_RDSInstancePubliclyExposed.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_S3BruteForce.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_S3BucketAccessPointExposed.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_S3BucketExposedviaACL.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_S3BucketExposedviaPolicy.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_S3ObjectExfiltrationByAnonymousUser.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_S3ObjectPubliclyExposed.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_S3Ransomware.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_SAMLUpdateIdentity.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_SSMPubliclyExposed.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_SetDefaulyPolicyVersion.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_SuspiciousCommandEC2.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_UnauthorizedInstanceSetUpAttempt.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_UserAccessKeyCreated.yaml
Solutions/Amazon Web Services/Analytic Rules/AWS_UserIAMEnumeration.yaml
Solutions/Amazon Web Services/Analytic Rules/NRT_AWS_ConsoleLogonWithoutMFA.yaml
Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSCLICommandExecution.yaml
Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSEC2ComputeResourceDeployments.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_AssumeRoleBruteForce.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_BucketVersioningSuspended.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_CreateAccessKey.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_CreateLoginProfile.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_EC2_WithoutKeyPair.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_ECRContainerLow.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_ECRContainerMedium.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_ExcessiveExecutionofDiscoveryEvents.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_FailedBruteForceS3Bucket.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_FailedBruteForceWithoutMFA.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_IAMAccsesDeniedDiscoveryEvents.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_IAMUserGroupChanges.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_IAM_PolicyChange.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_IAM_PrivilegeEscalationbyAttachment.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_LambdaFunctionThrottled.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_LambdaLayerImportedExternalAccount.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_LambdaUpdateFunctionCode.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_LoginProfileUpdated.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_ModificationofRouteTableAttributes.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_ModificationofSubnetAttributes.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_ModificationofVPCAttributes.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_NetworkACLDeleted.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_NewRootAccessKey.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_PolicywithExcessivePermissions.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_PrivilegedRoleAttachedToInstance.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_RDSMasterPasswordChanged.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_RiskyRoleName.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_S3BucketDeleted.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_S3BucketEncryptionModified.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_STStoEC2.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_STStoECS.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_STStoGlue.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_STStoKWN.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_STStoLambda.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_SuspiciousCredentialTokenAccessOfValid_IAM_Roles.yaml
Solutions/Amazon Web Services/Hunting Queries/AWS_Unused_UnsupportedCloudRegions.yaml
Solutions/Amazon Web Services/Workbooks/AmazonWebServicesNetworkActivities.json
Solutions/Amazon Web Services/Workbooks/AmazonWebServicesUserActivities.json
(packaging artefacts: 3.0.9.zip, ReleaseNotes.md, Solution_AmazonWebServices.json, createUiDefinition.json, mainTemplate.json)