Abnormally High AWS Instances Launched By User

Description

This search looks for CloudTrail events where a user successfully launches an abnormally high number of instances.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Cloud Security, SaaS

Alert Volume

This search looks for CloudTrail events where a user successfully launches an abnormally high number of instances.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion
Persistence
Privilege Escalation
Initial Access

MITRE ATT&CK Techniques

Valid Accounts

Cloud Accounts

MITRE Threat Groups

APT33

Kill Chain Phases

Actions On Objectives

Data Sources

AWS
Audit Trail

   Help

Abnormally High AWS Instances Launched By User Help

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. The threshold value should be tuned to your environment.

   Search

Open in Search