LoFP LoFP / legitimate users may have to use ssm to perform actions against machines in the cloud to update or maintain them

Techniques

Sample rules

Potential Malicious Usage of CloudTrail System Manager

Description

Detect when System Manager successfully executes commands against an instance.

Detection logic

condition: selection_event and 1 of selection_status_*
selection_event:
  eventName: SendCommand
  eventSource: ssm.amazonaws.com
selection_status_null:
  errorCode: null
selection_status_success:
  errorCode: Success