Skip to content
Threat Feed
high advisory

Unusual Cloud Security Group Modifications by User

This analytic identifies unusual modifications to cloud security groups by users, such as modifications, deletions, or creations, analyzed over 30-minute intervals, potentially indicating compromised accounts or insider threats leading to resource exposure or service disruption.

This detection identifies anomalous modifications to cloud security groups by users within a 30-minute timeframe. It focuses on actions such as modifications, deletions, and creations of security groups, analyzing cloud infrastructure logs to detect deviations from normal behavior. The analytic calculates the standard deviation of security group changes per user, employing a 3-sigma rule to identify outliers. This activity is significant because unauthorized or malicious alterations to security groups can expose sensitive resources or disrupt critical services. The original Splunk ES content was published in 2026-04-17T11:58:53Z. This may indicate a compromised account, insider threat, or privilege escalation attempts.

Attack Chain

  1. An attacker gains initial access to a cloud environment through compromised credentials or an insider threat (T1578.005).
  2. The attacker enumerates existing cloud security groups to identify potential targets for modification.
  3. The attacker modifies security group rules to allow unauthorized access to internal resources or services.
  4. The attacker creates new security groups with overly permissive rules, bypassing existing security controls.
  5. The attacker deletes existing security groups, disrupting network segmentation and potentially causing service outages.
  6. These actions are performed repeatedly within a short time frame (30 minutes), significantly deviating from the user's baseline activity.
  7. The attacker exploits the newly opened access to exfiltrate sensitive data or deploy malicious workloads.
  8. The ultimate objective is to compromise sensitive resources, disrupt services, or establish a persistent foothold within the cloud environment.

Impact

Successful exploitation can lead to unauthorized access to sensitive data, disruption of critical services, and potential financial losses. A single compromised account can lead to the modification of numerous security groups, impacting multiple applications and services. The impact can range from data breaches and compliance violations to complete service outages. Depending on the scope of the compromised security groups, the blast radius can extend across the entire cloud infrastructure, affecting potentially thousands of users and applications.

Recommendation

  • Ensure proper ingestion of AWS CloudTrail, GCP Pubsub Message logs, and Azure Audit logs into a data model like the Change datamodel referenced in the search query.
  • Deploy the Sigma rule Cloud Security Group Modifications by User to your SIEM to detect anomalous security group modifications (logsource: AWS CloudTrail).
  • Tune the threshold and time window of the Sigma rule based on your environment's baseline activity to reduce false positives. Consider adjusting the upperBound calculation in the search query.
  • Investigate any alerts generated by the Sigma rule to determine if the modifications are legitimate or malicious. Prioritize alerts triggered by users with no history of security group administration.
  • Implement multi-factor authentication (MFA) for all user accounts to mitigate the risk of compromised credentials.

Detection coverage 2

Cloud Security Group Modifications by User

high

Detects unusual modifications to security groups in AWS CloudTrail logs by a single user within a short timeframe, indicating potential account compromise or insider threat.

sigma tactics: defense_evasion, privilege_escalation techniques: T1578.005 sources: cloudtrail, aws

Detect Security Group Deletion

medium

Detects the deletion of security groups in AWS CloudTrail logs, which could indicate an attempt to disrupt network segmentation.

sigma tactics: defense_evasion techniques: T1578.005 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →