Unusual City For an AWS Command
editUnusual City For an AWS Command
editA machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different location from the authorized users.
Rule type: machine_learning
Machine learning job: rare_method_for_a_city
Machine learning anomaly threshold: 50
Severity: low
Risk score: 21
Runs every: 15 minutes
Searches indices from: now-60m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Cloud
- AWS
- ML
Version: 2 (version history)
Added (Elastic Stack release): 7.9.0
Last modified (Elastic Stack release): 7.10.0
Rule authors: Elastic
Rule license: Elastic License
Potential false positives
editNew or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration, changes in cloud automation scripts or workflows, adoption of new services, expansion into new regions, increased adoption of work from home policies, or users who travel frequently.
Investigation guide
editAlerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:
- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?
-
Consider the user as identified by the
user.name
field. Is this command part of an expected workflow for the user context? Examine the user identity in theaws.cloudtrail.user_identity.arn
field and the access key id in theaws.cloudtrail.user_identity.access_key_id
field, which can help identify the precise user context. The user agent details in theuser_agent.original
field may also indicate what type of client made the request. - Consider the time of day. If the user is a human, not a program or script, did the activity take place during normal working hours?
-
Examine the history of the command. If the command, which is visible in the
event.action
field, manifested only very recently, it might be part of a new automation module or script. If its usage rate is consistent - for example, if it appears in small numbers on a weekly or monthly basis - it might be part of a housekeeping or maintenance process. - Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.
Rule version history
edit- Version 2 (7.10.0 release)
-
- Formatting only