AWS EC2 Multi-Region DescribeInstances API Calls
editAWS EC2 Multi-Region DescribeInstances API Calls
editIdentifies when a single AWS resource is making DescribeInstances API calls in more than 10 regions within a 30-second window. This could indicate a potential threat actor attempting to discover the AWS infrastructure across multiple regions using compromised credentials or a compromised instance. Adversaries may use this information to identify potential targets for further exploitation or to gain a better understanding of the target’s infrastructure.
Rule type: esql
Rule indices: None
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Data Source: AWS
- Data Source: AWS EC2
- Use Case: Threat Detection
- Tactic: Discovery
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editfrom logs-aws.cloudtrail-* // filter for DescribeInstances API calls | where event.dataset == "aws.cloudtrail" and event.provider == "ec2.amazonaws.com" and event.action == "DescribeInstances" // truncate the timestamp to a 30-second window | eval target_time_window = DATE_TRUNC(30 seconds, @timestamp) // count the number of unique regions and total API calls within the 30-second window | stats region_count = count_distinct(cloud.region), window_count = count(*) by target_time_window, aws.cloudtrail.user_identity.arn // filter for resources making DescribeInstances API calls in more than 10 regions within the 30-second window | where region_count >= 10 and window_count >= 10 // sort the results by time windows in descending order | sort target_time_window desc
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
-
Technique:
- Name: Cloud Infrastructure Discovery
- ID: T1580
- Reference URL: https://attack.mitre.org/techniques/T1580/