Best practice rules for Conformity Real-Time Threat monitoring
Trend Micro Cloud One™ – Conformity monitors Conformity Real-Time Threat monitoring with the following rules:
- AWS IAM User Created
An AWS Identity and Access Management (IAM) user creation event has been detected.
- AWS IAM user has signed in without MFA
Amazon Web Services IAM user authentication without MFA has been detected.
- AWS Root user has signed in without MFA
Conformity user authentication without MFA has been detected.
- Network configuration change detected
Networking configuration changes have been detected within your Amazon Web Services account.
- Root has signed in
Amazon Web Services account authentication using root credentials has been detected.
- User activity in blocklisted regions
AWS User/API activity has been detected within blocklisted Amazon Web Services region(s).
- User has failed signing in to AWS
Monitor AWS IAM user's failed signing attempts.
- Users signed in to AWS from a safelisted IP Address
Amazon Web Services root/IAM user authentication from a blocklisted IP address has been detected.
- Users signed in to AWS from an approved country
Amazon Web Services root/IAM user authentication from a non-approved country has been detected.