--- title: "How does your AWS environment stand up to the mitre att&ck framework?" page_name: "How does your AWS environment stand up to the MITRE ATT&CK framework?" type: "blog" slug: "detecting-mitre-attck-stages-aws" published_at: "2023-11-07" modified_at: "2026-06-17" url: "https://www.sumologic.com/blog/detecting-mitre-attck-stages-aws" canonical: "https://www.sumologic.com/blog/detecting-mitre-attck-stages-aws" markdown_url: "https://www.sumologic.com/blog/detecting-mitre-attck-stages-aws.md" lang: "en" excerpt: "Discover how to navigate AWS CloudTrail log data by mapping it to the MITRE ATT&CK framework. Learn a nine-step process using Sumo Logic's Cloud SIEM." taxonomy_blog_category: - "SecOps & Security" --- [ All blogs ](https://www.sumologic.com/blog "blog")[SecOps & Security](https://www.sumologic.com/blog/secops-security) # How does your AWS environment stand up to the MITRE ATT&CK framework? [Christopher Beier](#blog-author-block-66) November 7, 2023 4 min read [SecOps & Security](https://www.sumologic.com/blog/secops-security) ##### Table of contents In today’s digital age, adopting public cloud platforms like [Amazon Web Services (AWS) security](https://www.sumologic.com/glossary/aws-security/) means reinforcing them. AWS is a complex and versatile platform. When problems or security incidents arise, it’s important to have a systematic approach to investigation and analysis or it can quickly become noisy with lots of false positives. This is where the adversarial tactics, techniques, and common knowledge (MITRE ATT&CK) framework can help. The MITRE ATT&CK framework plays a crucial role in security [incident response](https://www.sumologic.com/glossary/incident-response/), providing a structured and comprehensive framework for understanding, detecting and responding to cybersecurity threats and attacks. It benefits security incident response in the following ways: - Provides a common language for describing a threat actor’s [tactics, techniques and procedures](https://www.sumologic.com/glossary/tactics-techniques-procedures) (TTPs) so a security team can gain a deeper understanding of adversaries’ tactics, motives, capabilities and strategies. - Identifies the relationship between observed behaviors and [indicators of compromise ](https://www.sumologic.com/glossary/indicators-of-compromise/)(IOCs) to specific techniques and tactics within the framework for more precise detection of malicious activities and knowing which stages of an attack are in progress. - Supports proactive [threat hunting](https://www.sumologic.com/glossary/threat-hunting/) by allowing [security analysts](https://www.sumologic.com/blog/security-analyst-faq-career-cybersecurity/) to explore their environment to identify anomalies and trace them to specific tactics or techniques. - Helps security teams prioritize alerts and incidents based on the tactics and techniques involved to focus resources and efforts on the most critical and relevant threats. - Informs security teams on bolstering their defenses based on weaknesses and gaps in their security posture and implementing appropriate mitigations. - Assists in developing response playbooks, helping organizations prepare for different phases of an attack. In developing your incident response and security defenses for your AWS environment, the MITRE ATT&CK framework is even more useful when incorporated into a so-called mind map for AWS investigations. A mind map is a graphical tool that can help you outline and follow a structured investigation process. When applied to AWS investigations, it is a visual representation or diagram that helps organize and structure the process of investigating issues, incidents or anomalies related to AWS [cloud infrastructure](https://www.sumologic.com/glossary/cloud-infrastructure/) and services. ## How to incorporate the MITRE ATT&CK framework for AWS investigations Start by identifying the relevant MITRE ATT&CK techniques associated with the AWS services and resources under investigation. MITRE ATT&CK provides a comprehensive list of tactics and techniques used by threat actors. Focus on those techniques that may apply to AWS environments. 1. Create main branches in your mind map to represent each of the MITRE ATT&CK tactics. Some of the common tactics include “Initial Access,” “Execution,” “Persistence,” “Privilege Escalation,” “Defense Evasion” and others. These can serve as high-level categories in your mind map. 2. Under each MITRE ATT&CK tactic, create sub-branches for the specific techniques that apply to your AWS investigation. For example, under “Execution,” you might include techniques like “User Execution” or “Scripting.” 3. For each technique, consider how it might show up in an AWS environment. Provide specific examples or indicators related to AWS services and resources. This could include instances of IAM (Identity and Access Management) abuse, EC2 instance compromise, or S3 bucket misconfigurations. 4. Map AWS resources and data sources to the relevant MITRE ATT&CK techniques. For instance, indicate which AWS services are relevant for each technique, such as [CloudTrail](https://www.sumologic.com/application/aws-cloudtrail/) logs, [VPC flow logs](https://www.sumologic.com/application/vpc-flow/), or [CloudWatch](https://www.sumologic.com/glossary/aws-cloudwatch/) alarms. 5. Include detection and mitigation strategies for each technique in your mind map. Explain how you can monitor and detect suspicious activities, as well as potential steps to mitigate or remediate issues. These strategies should be specific to AWS, such as configuring AWS CloudWatch alarms or applying AWS security best practices. As your investigation progresses and you gain more insights, you can update the mind map to reflect the current status of your investigation. This ensures you have an up-to-date reference for tracking your findings and actions. Incorporating the MITRE ATT&CK framework into your mind map for AWS investigations allows you to align your investigation process with industry-standard best practices for threat detection and response. This approach helps you systematically address potential threats and vulnerabilities specific to AWS environments while keeping your investigation organized and comprehensive. ## How to alert for MITRE ATT&CK in your AWS environment with Sumo Logic Cloud SIEM While mapping aids investigations, it’s important to be proactive, automatically identifying significant movements within the AWS CloudTrail logs. Mere event-type correlations might produce countless alerts, given the routine nature of many actions. This is where Sumo Logic’s [Cloud SIEM](https://www.sumologic.com/solutions/cloud-siem/) comes into play. Let’s say you want to set an alert that gets triggered when user actions span at least three MITRE ATT&CK stages. This involves orchestrating distinct streams for discovery, collection, persistence, privilege escalation, initial access, and credential access, with an alert for any combination. Here are the steps for how to do this: 1. In Cloud SIEM: Navigate to the Content section within the Cloud SIEM interface. 2. Rule creation: Select Rules and then choose Create. 3. Aggregation rule: Click on the Aggregation Rule and proceed to Create. 4. Filter events: Start by narrowing down only to CloudTrail events. 5. Correlation entity: Use *user\_username* as the entity to ensure all events are correlated according to user actions. 6. Rule metadata: Assign a descriptive name and provide relevant details. 7. Timeframe: Designate a 24-hour window, ensuring alerts are pertinent to recent actions. 8. Aggregation parameters: Create an *aggregation* for each MITRE ATT&CK stage. Remember that using a *count distinct* on the user\_username value aids in determining the final match logic’s output. 9. Detection: The final goal is to spot users with events spanning three or more MITRE ATT&CK stages. Adopting this systematic approach can diminish background noise, focusing on high-quality signals when users navigate the MITRE ATT&CK pathways in your AWS domain. Though some adjustments might be requisite, especially for roles like AWS admins, this framework is critical for identifying potentially malicious activities. Dive deeper into Sumo Logic’s [Cloud SIEM solution](https://www.sumologic.com/solutions/cloud-siem/) to fortify the digital defense of your AWS environments. ### Article Tags - [SecOps & Security](https://www.sumologic.com/blog/secops-security) Christopher Beier Principal Product Marketing Manager Christopher has spent the past 25 years dedicated to work in cybersecurity. He’s a US Navy veteran who did IT work in submarines. From his home in Forest Grove, OR, he enjoys flying stunt kites, college football (Go Ducks!), and watching his kids’ swim meets. [](https://www.sumologic.com/feed "RSS Feed")[](https://twitter.com/intent/tweet?text=How%20does%20your%20AWS%20environment%20stand%20up%20to%20the%20MITRE%20ATT%26CK%20framework%3F&url=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fdetecting-mitre-attck-stages-aws "X")[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fdetecting-mitre-attck-stages-aws "Facebook")[](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fdetecting-mitre-attck-stages-aws "Linkedin") [Previous blog Enhance your cloud security with MITRE ATT&CK and Sumo Logic Cloud SIEM](https://www.sumologic.com/blog/cloud-siem-mitre-attack)[Next blog The future of Sumo Logic begins at the atomic level of logs](https://www.sumologic.com/blog/future-sumo-logic-atomic-level-logs) People who read this also enjoyed [ AI across the security lifecycle June 18, 2026 ](https://www.sumologic.com/blog/ai-across-security-lifecycle)[ Balance AI innovation and governance with Sumo Logic AI and ML apps June 10, 2026 ](https://www.sumologic.com/blog/sumo-logic-ai-ml-apps-governance)[ Sumo Logic AWS Region European Sovereign Cloud is now generally available June 2, 2026 ](https://www.sumologic.com/blog/sumo-logic-aws-region-european-sovereign-cloud-generally-available)[ How digital banking is redefining fraud prevention May 28, 2026 ](https://www.sumologic.com/blog/digital-banking-redefining-fraud-prevention) [AI Instructions](https://www.sumologic.com/ai-instructions.md)