ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-04-11 04:08:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
eb5dbab86ee3a7be28c0c8cef74583fa12b36713
prowler/docs/tutorials/aws/threat-detection.md

2.1 KiB
Raw Blame History

Threat Detection

Prowler allows you to do threat detection in AWS based on the CloudTrail log records. To run checks related with threat detection use:

prowler aws --category threat-detection

This command will run these checks:

  • cloudtrail_threat_detection_privilege_escalation -> Detects privilege escalation attacks.
  • cloudtrail_threat_detection_enumeration -> Detects enumeration attacks.
  • cloudtrail_threat_detection_llm_jacking -> Detects LLM Jacking attacks.

???+ note Threat Detection checks will be only executed using --category threat-detection flag due to performance.

Config File

If you want to manage the behavior of the Threat Detection checks you can edit config.yaml file from /prowler/config. In this file you can edit the following attributes related with Threat Detection:

  • threat_detection_privilege_escalation_threshold: determines the percentage of actions found to decide if it is an privilege_scalation attack event, by default is 0.2 (20%)
  • threat_detection_privilege_escalation_minutes: it is the past minutes to search from now for privilege_escalation attacks, by default is 1440 minutes (24 hours)
  • threat_detection_privilege_escalation_actions: these are the default actions related with privilege escalation.
  • threat_detection_enumeration_threshold: determines the percentage of actions found to decide if it is an enumeration attack event, by default is 0.3 (30%)
  • threat_detection_enumeration_minutes: it is the past minutes to search from now for enumeration attacks, by default is 1440 minutes (24 hours)
  • threat_detection_enumeration_actions: these are the default actions related with enumeration attacks.
  • threat_detection_llm_jacking_threshold: determines the percentage of actions found to decide if it is an LLM Jacking attack event, by default is 0.4 (40%)
  • threat_detection_llm_jacking_minutes: it is the past minutes to search from now for LLM Jacking attacks, by default is 1440 minutes (24 hours)
  • threat_detection_llm_jacking_actions: these are the default actions related with LLM Jacking attacks.
Reference in New Issue View Git Blame Copy Permalink