LoFP / glue development endpoint activity may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

Techniques

Sample rules

AWS Glue Development Endpoint Activity

• source: sigma
• technicques:

Description

Detects possible suspicious glue development endpoint activity.

Detection logic

condition: selection
selection:
  eventName:
  - CreateDevEndpoint
  - DeleteDevEndpoint
  - UpdateDevEndpoint
  eventSource: glue.amazonaws.com