AWS FSx Excessive File Denied

amazon-fsx

Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1083-file-and-directory-discovery

Goal

Detect and identify users accessing files they do not have permission to access.

Strategy

Monitor AWS FSx logs and detect more than 10 occurrences where @evt.id is equal to 4656 and @Event.System.Keywords is equal to 0x8010000000000000.

Triage & Response

  1. Inspect the log and determine if the user should be accessing the file: {{@ObjectName}}.
  2. If access is not legitimate, investigate user ({{@usr.id}}) activity.