Anomalous amount of Autoscaling Group events

cloudtrail

Classification:

attack

Tactic:

TA0040-impact

Technique:

T1496-resource-hijacking

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when an attacker is attempting to hijack an EC2 AutoScaling Group.

Strategy

This rule lets you monitor AWS EC2 Autoscaling logs (@eventSource:autoscaling.amazonaws.com) to detect when an Autoscaling group receives an anomalous amount of API calls ({{@evt.name}}).

Triage and response

  1. Confirm if the user {{@userIdentity.arn}} intended to make the {{@evt.name}} API calls.
  2. If the user did not make the API calls:
    • Rotate the credentials.
    • Investigate if the same credentials made other unauthorized API calls.
PREVIEWING: drodriguezhdez/add_public_docs_log_summarization