Techniques
Sample rules
AWS EC2 Deprecated AMI Discovery
- source: elastic
- technicques:
- T1580
Description
Identifies when a user has queried for deprecated Amazon Machine Images (AMIs) in AWS. This may indicate an adversary whom is looking for outdated AMIs that may be vulnerable to exploitation. While deprecated AMIs are not inherently malicious or indicate breach, they may be more susceptible to vulnerabilities and should be investigated for potential security risks.
Detection logic
event.dataset: "aws.cloudtrail"
and event.provider: "ec2.amazonaws.com"
and event.action: "DescribeImages"
and event.outcome: "success"
and aws.cloudtrail.flattened.request_parameters.includeDeprecated: "true"
and aws.cloudtrail.request_parameters: *owner=*