My Methodology to AWS Detection Engineering (Part 3 - Variable Scoring)
Introduction Welcome back to the series! In Part One and Two we discussed RBA object selection tailored to AWS identities and how to assign the numerical risk values to those objects using SPL. We also looked at basic examples of how those base scores could stack up for various objects to cross a defined threshold. All that was necessary to get us here: "variable scoring". We will explore some ideas to get you on your way with variable scoring in the skies of AWS. I want to stress again that this approach is derived from work I've done in my own time using Splunk but it applies to other SIEM offerings and can be built using common programming languages like Python (which is a future project of mine). Anyway, let's get right into it: Variable Scoring Before we get too far, it may be helpful to define "variable scoring." Think of variable scoring like the thermostat in your home. The base score is the default temperature setting, providing a nice baseli