LoFP
/
t1580
t1580
Title
Tags
administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity.
t1580
aws
sigma
administrators or automated systems may legitimately perform multiple `describe` and `list` api calls in a short time frame. verify the user identity and the purpose of the api calls to determine if the behavior is expected.
t1580
aws
elastic
administrators or developers who are unaware of the deprecation status of amis they are using.
t1580
aws
elastic
automated tools or scripts that query for deprecated amis as part of a security assessment.
t1580
aws
elastic
it is possible to start this detection will need to be tuned by source ip or user. in addition, change the count values to an upper threshold to restrict false positives.
t1580
aws account
splunk
known or internal account ids or automation
T1530
t1580
T1657
aws
elastic
legitimate use of deprecated amis for testing or development purposes.
t1580
aws
elastic
legitimate use of the `describeinstances` api call by an aws resource that requires information about instances in multiple regions.
t1580
aws
elastic
misconfigured applications or services that rely on deprecated amis for compatibility reasons.
t1580
aws
elastic
scheduled tasks or scripts that require information about instances in multiple regions.
t1580
aws
elastic
LoFP
/
t1580