Detectionlowtest

AWS Glue Development Endpoint Activity

Detects possible suspicious glue development endpoint activity.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Austin SongerCreated Sun Oct 03Updated Sun Dec 184990c2e3-f4b8-45e3-bc3c-30b14ff0ed26cloud

Log Source

AWScloudtrail

ProductAWS← raw: aws

Servicecloudtrail← raw: cloudtrail

Detection Logic

detection:
    selection:
        eventSource: 'glue.amazonaws.com'
        eventName:
            - 'CreateDevEndpoint'
            - 'DeleteDevEndpoint'
            - 'UpdateDevEndpoint'
    condition: selection

False Positives

Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

If known behavior is causing false positives, it can be exempted from the rule.

References

Resolving title…

rhinosecuritylabs.com

Resolving title…

docs.aws.amazon.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation

Rule Metadata

Rule ID

4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26