You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/anomalies-reference.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -197,7 +197,7 @@ Sentinel uses enriched data from the BehaviorAnalytics table to identify UEBA an
197
197
198
198
### UEBA Anomalous Data Transfer from Amazon S3 (Preview)
199
199
200
-
**Description:**Detects deviations in data access or download patterns from Amazon Simple Storage Service (S3). The anomaly is determined using behavioral baselines for each user, service, and resource, comparing data transfer volume, frequency, and accessed object count against historical norms. Significant deviations — such as first-time bulk access, unusually large data retrievals, or activity from new locations or applications — may indicate potential data exfiltration, policy violations, or misuse of compromised credentials.
200
+
**Description:**Deviations in data access or download patterns from Amazon Simple Storage Service (S3). The anomaly is determined using behavioral baselines for each user, service, and resource, comparing data transfer volume, frequency, and accessed object count against historical norms. Significant deviations - such as first-time bulk access, unusually large data retrievals, or activity from new locations or applications - might indicate potential data exfiltration, policy violations, or misuse of compromised credentials.
@@ -240,7 +240,7 @@ Sentinel uses enriched data from the BehaviorAnalytics table to identify UEBA an
240
240
241
241
### UEBA Anomalous Federated or SAML Identity Activity in AwsCloudTrail (Preview)
242
242
243
-
**Description:**Detects unusual activity by federated or SAML-based identities involving first-time actions, unfamiliar geo-locations, or excessive API calls. Such anomalies can reveal session hijacking or misuse of federated credentials.
243
+
**Description:**Unusual activity by federated or Security Assertion Markup Language (SAML)-based identities involving first-time actions, unfamiliar geo-locations, or excessive API calls. Such anomalies can indicate session hijacking or misuse of federated credentials.
@@ -254,7 +254,7 @@ Sentinel uses enriched data from the BehaviorAnalytics table to identify UEBA an
254
254
255
255
### UEBA Anomalous IAM Privilege Modification in AwsCloudTrail (Preview)
256
256
257
-
**Description:**Detects deviations in IAM administrative behavior, such as first-time creation, modification, or deletion of roles, users, and groups, or attachment of new inline or managed policies. These may indicate privilege escalation or policy abuse.
257
+
**Description:**Deviations in Identity and Access Management (IAM) administrative behavior, such as first-time creation, modification, or deletion of roles, users, and groups, or attachment of new inline or managed policies. These might indicate privilege escalation or policy abuse.
@@ -326,7 +326,7 @@ Sentinel uses enriched data from the BehaviorAnalytics table to identify UEBA an
326
326
327
327
### UEBA Anomalous Secret or KMS Key Access in AwsCloudTrail (Preview)
328
328
329
-
**Description:**Detects suspicious access to AWS Secrets Manager, or Key Management Service (KMS) resources. First-time access or unusually high access frequency may indicate credential harvesting or data exfiltration attempts.
329
+
**Description:**Suspicious access to AWS Secrets Manager, or Key Management Service (KMS) resources. First-time access or unusually high access frequency might indicate credential harvesting or data exfiltration attempts.
@@ -354,7 +354,7 @@ Sentinel uses enriched data from the BehaviorAnalytics table to identify UEBA an
354
354
355
355
### UEBA Anomalous STS AssumeRole Behavior in AwsCloudTrail (Preview)
356
356
357
-
**Description:**Detects anomalous usage of AWS Security Token Service (STS) AssumeRole actions, especially involving privileged roles or cross-account access. Deviations from typical usage may indicate privilege escalation or identity compromise.
357
+
**Description:**Anomalous usage of AWS Security Token Service (STS) AssumeRole actions, especially involving privileged roles or cross-account access. Deviations from typical usage might indicate privilege escalation or identity compromise.
0 commit comments