Powerpipe MCP Server →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-aws-s3-server-access-log-detections
Overview
3Dashboards
6Benchmarks
21Queries
1Variables
GitHub

Query: s3_object_accessed_using_suspicious_user_agent

Usage

powerpipe query aws_s3_server_access_log_detections.query.s3_object_accessed_using_suspicious_user_agent

Tailpipe Tables

aws_s3_server_access_log
AWS plugin

SQL

select
  tp_timestamp as timestamp,
  operation,
  bucket as resource,
  requester as actor,
  tp_source_ip as source_ip,
  tp_index as account_id,
  tp_id as source_id,
  http_status,
  error_code,
  *
from
  aws_s3_server_access_log
where
  operation in (
    'REST.GET.OBJECT',
    'REST.PUT.OBJECT',
    'REST.DELETE.OBJECT'
  )
  and (
    -- Command-line tools
    user_agent ilike '%curl%'
    or user_agent ilike '%wget%'
    or user_agent ilike '%python%'
    or user_agent ilike '%go-http%'
    or user_agent ilike '%ruby%'
    or user_agent ilike '%powershell%'
    or -- Known scanners and penetration testing tools
    user_agent ilike '%nuclei%'
    or user_agent ilike '%nmap%'
    or user_agent ilike '%burpsuite%'
    or user_agent ilike '%sqlmap%'
    or user_agent ilike '%nikto%'
    or user_agent ilike '%hydra%'
    or user_agent ilike '%metasploit%'
    or user_agent ilike '%gobuster%'
    or user_agent ilike '%dirbuster%'
    or -- Suspicious bots and crawlers
    user_agent ilike '%zgrab%'
    or user_agent ilike '%masscan%'
    or user_agent ilike '%googlebot%'
    or user_agent ilike '%baiduspider%'
    or -- Generic indicators
    user_agent ilike '%scanner%'
    or user_agent ilike '%exploit%'
    or user_agent ilike '%attack%'
    or user_agent is null
  )
order by
  tp_timestamp desc;

Detections

The query is being used by the following detections: