Detection Engineering

I want to detect when an AWS IAM user performs suspicious privilege escalation activity. Specifically: multiple failed attempts to modify IAM roles within a short time. This suggests permission probing by an attacker.

You: "This rule triggers too much"
MCP: Analyzes the actual alerts it generated, sees patterns in false positives
AI: "I see the pattern — developers in test accounts hit this all the time.
     Let me exclude those accounts" → Updated query, retested automatically

You: "Here's my Splunk rule:
     source="aws:cloudtrail" sourcetype="AWSCloudTrail"
     | stats count by user | where count > 10"

MCP: Translates to Scanner syntax, tests it, shows you what changed and why

You: "Detect when someone gains admin privileges then immediately
      downloads sensitive data — in the same session"

MCP: Writes a multi-stage query with session tracking, privilege checks,
     and data access aggregations. You just see: "Testing... Found 3 matches."

I need to detect suspicious IAM activity in AWS. Specifically, I want
to catch when a user performs multiple failed IAM policy modification
attempts. This suggests an attacker is probing for vulnerabilities or
testing permissions they don't have.

Create a Scanner detection rule that:
- Looks for failed IAM policy modifications (PutRolePolicy, AttachRolePolicy)
- Within a 1-hour time window
- Flags users with 3+ failures in that window
- Exclude service accounts (terraform, ci-pipeline, automation accounts)

# schema: https://scanner.dev/schema/scanner-detection-rule.v1.json
name: "Excessive IAM Policy Modification Failures"
enabled: true
description: |
  Detects suspicious IAM activity where a user performs multiple failed
  attempts to modify IAM policies. This pattern suggests permission probing
  or an attacker testing access controls.

  References:
  * https://attack.mitre.org/techniques/T1548/004/

severity: High
query_text: |
  %ingest.source_type="aws:cloudtrail"
  eventSource="iam.amazonaws.com"
  eventName=(PutRolePolicy AttachRolePolicy)
  errorCode=*
  NOT userIdentity.userName=(terraform ci-pipeline automation-user)
  | stats
    count() as failed_attempts,
    min(timestamp) as firstTime,
    max(timestamp) as lastTime
    by userIdentity.userName, eventName
  | where failed_attempts >= 3

tags:
  - techniques.ta0005.privilege_escalation

time_range_s: 3600
run_frequency_s: 300

alert_template:
  info:
    - label: User
      value: "{{userIdentity.userName}}"
    - label: Event Type
      value: "{{eventName}}"
    - label: Failed Attempts
      value: "{{failed_attempts}}"
    - label: Time Window
      value: "{{firstTime}} to {{lastTime}}"

Run this rule against the last 7 days of data and show me:
1. How many alerts would this generate?
2. Show me 3-5 example alerts with the user, event types, and error codes
3. Are these plausible attacks or expected operational activity?

I see the results. Most look like legitimate permission errors from users trying operations they don't have access to. Can you narrow this to only flag PutRolePolicy and AttachRolePolicy (remove CreateAccessKey) since those are more likely to indicate privilege escalation attempts?

query_text: |
  %ingest.source_type="aws:cloudtrail"
  eventSource="iam.amazonaws.com"
  eventName=(PutRolePolicy AttachRolePolicy)
  errorCode=*
  NOT userIdentity.userName=(terraform ci-pipeline automation-user)
  | stats
    count() as failed_attempts,
    min(timestamp) as firstTime,
    max(timestamp) as lastTime
    by userIdentity.userName, eventName
  | where failed_attempts >= 3

I want to migrate a detection rule from [platform name] to Scanner.

I've saved the rule to [filename]. Please:

1. Translate this logic to Scanner query syntax
2. Create a Scanner YAML file with proper schema and required fields
3. Test the query against the last 30 days of historical data
4. Show me sample results - are there any hits? Are they true positives?
5. Iterate on the query based on results (adjust thresholds, filters, or logic as needed)
6. Suggest improvements for my environment
7. Include test cases that validate the rule catches the same activity

Then I'll validate it locally with scanner-cli before deploying.

Write unit tests for this IAM policy modification detection rule.

The rule detects failed IAM policy modifications (PutRolePolicy, AttachRolePolicy)
with 3+ failures in a 1-hour window, excluding known service accounts.

Create test cases following Scanner's format:
1. A true positive - user making multiple failed attempts to modify policies (permission probing)
2. A true negative - legitimate admin activity (successful policy modifications)
3. An edge case - service account excluded from detection

For each test, provide:
- A test name describing the scenario
- Example JSON CloudTrail log events (must include timestamp in RFC 3339 format, %ingest.source_type, eventSource, eventName, errorCode, userIdentity)
- Expected result (true or false)
- Why this test is important

tests:
  - name: Test alert is triggered when user has 3+ failed policy modifications
    now_timestamp: "2024-08-21T00:10:00.000Z"
    dataset_inline: |
      {"timestamp":"2024-08-21T00:05:00.000Z","%ingest.source_type":"aws:cloudtrail","eventSource":"iam.amazonaws.com","eventName":"PutRolePolicy","userIdentity":{"userName":"attacker"},"errorCode":"UnauthorizedOperation"}
      {"timestamp":"2024-08-21T00:05:30.000Z","%ingest.source_type":"aws:cloudtrail","eventSource":"iam.amazonaws.com","eventName":"AttachRolePolicy","userIdentity":{"userName":"attacker"},"errorCode":"AccessDenied"}
      {"timestamp":"2024-08-21T00:06:00.000Z","%ingest.source_type":"aws:cloudtrail","eventSource":"iam.amazonaws.com","eventName":"PutRolePolicy","userIdentity":{"userName":"attacker"},"errorCode":"InvalidParameterException"}
    expected_detection_result: true

  - name: Test no alert for successful policy modifications
    now_timestamp: "2024-08-21T00:10:00.000Z"
    dataset_inline: |
      {"timestamp":"2024-08-21T00:05:00.000Z","%ingest.source_type":"aws:cloudtrail","eventSource":"iam.amazonaws.com","eventName":"PutRolePolicy","userIdentity":{"userName":"admin"},"requestParameters":{"roleName":"test-role"}}
      {"timestamp":"2024-08-21T00:05:30.000Z","%ingest.source_type":"aws:cloudtrail","eventSource":"iam.amazonaws.com","eventName":"AttachRolePolicy","userIdentity":{"userName":"admin"},"requestParameters":{"roleName":"test-role"}}
    expected_detection_result: false

  - name: Test no alert for excluded service accounts
    now_timestamp: "2024-08-21T00:10:00.000Z"
    dataset_inline: |
      {"timestamp":"2024-08-21T00:05:00.000Z","%ingest.source_type":"aws:cloudtrail","eventSource":"iam.amazonaws.com","eventName":"PutRolePolicy","userIdentity":{"userName":"terraform"},"errorCode":"AccessDenied"}
      {"timestamp":"2024-08-21T00:05:30.000Z","%ingest.source_type":"aws:cloudtrail","eventSource":"iam.amazonaws.com","eventName":"PutRolePolicy","userIdentity":{"userName":"terraform"},"errorCode":"AccessDenied"}
      {"timestamp":"2024-08-21T00:06:00.000Z","%ingest.source_type":"aws:cloudtrail","eventSource":"iam.amazonaws.com","eventName":"AttachRolePolicy","userIdentity":{"userName":"terraform"},"errorCode":"AccessDenied"}
    expected_detection_result: false

I've created a detection rule for failed S3 GetObject calls from unusual users
(>= 1GB downloads from buckets with "sensitive" or "customer" in the name).

Run it against my Scanner data for the last 30 days and show me:

1. **Volume**: How many alerts would this generate?
2. **Sample alerts**: Show me 3-5 real examples with userIdentity.userName, bucketName, bytesOut, and timestamp
3. **False positive assessment**: Are these real exfiltration risks or legitimate data analysis jobs?
4. **Tuning recommendations**: What thresholds or filters should I adjust? Should I exclude specific service accounts or departments?
5. **Coverage assessment**: Are there other S3 API calls I should be monitoring (e.g., CopyObject, GetObjectTagging)?

This detection is triggering too often. Can you help me tune it?

The rule is looking for: Failed IAM policy modifications (3+ in 1 hour)

Known false positives:
- Developers testing permissions in non-prod (frequent AccessDenied is expected)
- HR/Finance staff who don't normally use IAM (they get errors, not suspicious)
- New onboarded users learning the system

Actual attack scenario we want to catch:
- Focused permission testing (same event type, same user, rapid-fire attempts)
- Not just random permission errors spread throughout the hour

Suggest:
1. Filters to exclude low-risk user groups
2. Tighten the time window to detect rapid-fire probing
3. Focus on specific event types most likely to indicate attacks

query_text: |
  %ingest.source_type="aws:cloudtrail"
  eventSource="iam.amazonaws.com"
  eventName=(PutRolePolicy AttachRolePolicy)
  errorCode=*
  NOT userIdentity.userName=(terraform ci-pipeline automation-user developer-test)
  | stats
    count() as failed_attempts,
    min(timestamp) as firstTime,
    max(timestamp) as lastTime
    by userIdentity.userName
  | where failed_attempts >= 3

# Test 1: Verify we still catch privilege escalation probing
I want to test if this rule catches a user who:
- Makes 5 failed PutRolePolicy attempts
- Spread across different roles
- Within 1 hour
Expected: Should trigger

# Test 2: Verify we excluded expected failures
# Run the query for the last 7 days filtered to developer-test users
# Verify it's NOT generating alerts anymore
Expected: No alerts for excluded service accounts

I want to detect data exfiltration through S3. Specifically, large downloads from sensitive buckets by users who don't normally access them.

# schema: https://scanner.dev/schema/scanner-detection-rule.v1.json
name: "S3 Data Exfiltration - Large Downloads"
enabled: true
description: |
  Detects potential data exfiltration through S3 GetObject calls. Flags users
  performing unusually large data transfers from S3 in a single session.

severity: High
query_text: |
  %ingest.source_type="aws:cloudtrail"
  eventSource="s3.amazonaws.com"
  eventName="GetObject"
  | stats
    count() as access_count,
    sum(additionalEventData.bytesTransferredOut) as total_bytes
    by userIdentity.userName, requestParameters.bucketName
  | eval gb = total_bytes / (1024 * 1024 * 1024)
  | where access_count > 100 and gb > 0.5

tags:
  - techniques.ta0010.exfiltration

time_range_s: 3600
run_frequency_s: 300

Running the rule against last 30 days shows:
- 47 alerts
- 42 are false positives (legitimate data analysis jobs)
- 5 are real concerns

The job-analysis-prod service account is generating most false positives.
Also, the finance team regularly exports large CSV files.
Can you refine to exclude these while keeping real threats?

New results:
- 8 alerts
- 1 confirmed data exfiltration (user accessing customer data, downloading to external IP)
- 7 legitimate but unusual (flagged for investigation, none malicious)

This looks good. Generate unit tests following Scanner's format and a runbook for my team.

I want to analyze my detection rule coverage and identify gaps where I should build new detections.

I have a folder of detection rules at ./detection-rules/ organized by threat type.
All rules use MITRE tags like "techniques.ta0005.privilege_escalation".

Please:
1. Read all YAML files in the directory and extract all MITRE tactics and techniques from tags

2. First, use Scanner MCP to explore my available data:
   - Query Scanner to discover what log sources I have (use get_scanner_context)
   - Show me the available indexes and their source types (e.g., aws:cloudtrail, kubernetes:audit, proxy logs, DNS, etc.)
   - For each data source, highlight key fields available for detection

3. Create a coverage matrix showing:
   - Tactics covered: list of all unique tactics found
   - Techniques per tactic: how many techniques we detect for each tactic
   - Coverage gaps: which major tactics have 0 or 1 rules
   - Data availability: for each gap, note whether we have the necessary log sources to detect it

4. For each coverage gap, use Scanner MCP to test detection feasibility:
   - Run exploratory queries to check if the detection pattern exists in our data
   - Example: If recommending a Kerberoasting detection, query for failed Kerberos TGT requests
   - Validate we have the fields needed for the detection to work

5. Recommend 5 new detection rules for our top 3 coverage gaps, but ONLY recommend detections where:
   - We have the necessary log sources and fields
   - Exploratory queries show the attack pattern exists in our data
   - The detection is practical to implement

6. For each recommendation, explain:
   - Which tactic/technique it covers
   - What attack pattern it detects
   - Why it's important for our environment
   - What data sources it will use (be specific about field names we discovered)
   - Example query logic for how to detect it

Step 1: Exploring Available Data Sources
=========================================

Available Log Sources in Your Scanner Instance:
- aws:cloudtrail (CloudTrail logs)
  * Key fields: eventName, userIdentity.userName, sourceIPAddress, errorCode
  * Time range: Last 90 days

- aws:authentication (Auth/IAM events)
  * Key fields: user, auth_method, success, failure_reason
  * Time range: Last 30 days

- kubernetes:audit (Kubernetes API audit logs)
  * Key fields: verb, user, namespace, sourceIPs, objectRef
  * Time range: Last 7 days

- proxy (Proxy/firewall logs)
  * Key fields: source_ip, destination_ip, destination_port, domain, action
  * Time range: Last 90 days

- dns (DNS query logs)
  * Key fields: query_name, source_ip, response_code
  * Time range: Last 30 days

Note: You do NOT have:
- Endpoint/EDR logs (no Windows Event Logs, Sysmon, or osquery data)
- Email gateway logs
- VPC Flow Logs (only proxy logs as network source)

MITRE Coverage Analysis Results
================================

Total Rules: 47
Tactics Covered: 10 out of 14

Coverage by Tactic:
- TA0001 (Initial Access): 3 rules ✅
- TA0002 (Execution): 5 rules ✅
- TA0003 (Persistence): 2 rules ⚠️
- TA0004 (Privilege Escalation): 8 rules ✅
- TA0005 (Defense Evasion): 1 rule ❌
- TA0006 (Credential Access): 4 rules ✅
- TA0007 (Discovery): 6 rules ✅
- TA0008 (Lateral Movement): 3 rules ✅
- TA0009 (Collection): 2 rules ⚠️
- TA0010 (Exfiltration): 5 rules ✅
- TA0011 (Command & Control): 0 rules ❌
- TA0012 (Impact): 1 rule ❌
- TA0013 (Resource Development): 0 rules ❌
- TA0014 (Reconnaissance): 3 rules ✅

Top Coverage Gaps:
1. Defense Evasion (TA0005): 1 rule - HIGH RISK
2. Command & Control (TA0011): 0 rules - CRITICAL
3. Resource Development (TA0013): 0 rules - MEDIUM

Step 2: Testing Detection Feasibility with Scanner MCP
======================================================

For Defense Evasion gap (Log Tampering - T1070):
- Test query: Searched CloudTrail for DeleteTrail, StopLogging, PutEventSelectors
- Result: ✅ Found 12 instances in last 90 days (legitimate admin activity + 2 suspicious events)
- Data available: eventName, userIdentity, sourceIPAddress all present
- Feasibility: PRACTICAL - Can build reliable detection with thresholds

For Command & Control gap (DNS queries - T1071):
- Test query: Searched DNS logs for queries to known C2 domains and DGA patterns
- Result: ✅ Found DNS logs available with query_name and response_code
- Data available: dns logs with full query details
- Feasibility: PRACTICAL - Can detect unusual DNS patterns

For Resource Development gap (Certificate/Domain registration - T1583):
- Test query: Searched for domain registration events or certificate issuance
- Result: ❌ No data available - no domain registrar or certificate logs in your instance
- Data available: NONE
- Feasibility: NOT PRACTICAL - No data source to detect this; requires 3rd party feeds

Recommended Rules to Fill Gaps (Only for Practical Detections):

1. **Log Tampering Detection** (Defense Evasion - T1070)
   - Detects deletion/modification of CloudTrail logs or AWS API calls to disable logging
   - Data sources: aws:cloudtrail with eventName field
   - Example logic: Look for DeleteTrail, StopLogging, PutEventSelectors, UpdateTrail with LoggingEnabled=false
   - Critical for detecting attackers covering their tracks
   - Recommended priority: HIGH

2. **Suspicious DNS Queries - DGA Detection** (Command & Control - T1071)
   - Detects DNS queries with characteristics of Domain Generation Algorithms (DGA)
   - Data sources: dns logs with query_name and response_code
   - Example logic: Look for high volume of failed DNS queries to similar-looking domains (entropy analysis)
   - Indicates C2 communication channels or malware beaconing
   - Recommended priority: HIGH

3. **Privilege Escalation via Kubernetes RBAC** (Privilege Escalation - T1548)
   - Detects unauthorized attempts to grant elevated roles in Kubernetes
   - Data sources: kubernetes:audit with verb=create/patch objectRef.kind=ClusterRoleBinding
   - Example logic: Flag when non-admin users create ClusterRoleBindings or modify existing ones
   - Validates against your available Kubernetes logs (7-day retention)
   - Recommended priority: MEDIUM