heroui logo

AWS Discovery API Calls via CLI from a Single Resource

Elastic Detection Rules

View Source
Summary
This detection rule is intended to monitor AWS CloudTrail logs for multiple `Describe`, `List`, or `Get` API calls made from a single AWS resource within a 10-second period. The purpose of identifying such behavior is to flag possible reconnaissance activities by unauthorized users or compromised resources, which may suggest an individual is attempting to understand the AWS environment to identify targets for future attacks. The rule benefits from identifying unique API action counts and examines the caller's identity to ensure that such requests are legitimate and expected. False positives can occur from legitimate administrative or automated processes, making it imperative to review and validate the user identity and the purpose behind high-frequency API calls. Key investigation steps include analyzing user identity, user agent information, specific API actions, and any related IAM activities that could indicate an escalation of privileges or other malicious behaviors.
Categories
  • Cloud
  • AWS
Data Sources
  • Cloud Storage
  • Network Traffic
  • Application Log
ATT&CK Techniques
  • T1580
Created: 2024-11-04