Scout Suite user agent observed

Goal

Detect when the Scout Suite user agent is observed.

Strategy

This rule monitors cloud audit logs with the user agent ScoutSuite. Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. While this tool may be used legitimately by an organization to assess their security posture it can also be used by attackers as a means of discovery once they have gained unauthorized access to your cloud environment.

The following cloud providers are currently supported by Scout Suite:

  • Amazon Web Services
  • Microsoft Azure
  • Google Cloud Platform
  • Alibaba Cloud (alpha)
  • Oracle Cloud Infrastructure (alpha)
  • Kubernetes clusters on a cloud provider (alpha)

Triage and response

  1. Determine if your organization is using the Scout Suite tool to assess its security posture.
  2. If it is, consider adding a suppression for the Scout Suite’s identity or IP address. See this article on Best practices for creating detection rules with Datadog Cloud SIEM for more information.
  3. If the results of the triage indicate that this tool is not used by your organization, begin your company’s incident response process and an investigation.
    • If appropriate, disable or rotate the affected credential/identity.
    • Investigate any actions taken by the identity.