Techniques
Sample rules
AWS EC2 Multi-Region DescribeInstances API Calls
- source: elastic
- technicques:
- T1580
Description
Identifies when a single AWS resource is making DescribeInstances
API calls in more than 10 regions within a 30-second
window. This could indicate a potential threat actor attempting to discover the AWS infrastructure across multiple
regions using compromised credentials or a compromised instance. Adversaries may use this information to identify
potential targets for further exploitation or to gain a better understanding of the target’s infrastructure.
Detection logic
from logs-aws.cloudtrail-*
// filter for DescribeInstances API calls
| where event.dataset == "aws.cloudtrail"
and event.provider == "ec2.amazonaws.com"
and event.action == "DescribeInstances"
// truncate the timestamp to a 30-second window
| eval Esql.time_window_date_trunc = date_trunc(30 seconds, @timestamp)
// keep only the relevant raw fields
| keep Esql.time_window_date_trunc, aws.cloudtrail.user_identity.arn, cloud.region
// count the number of unique regions and total API calls within the 30-second window
| stats
Esql.cloud_region_count_distinct = count_distinct(cloud.region),
Esql.event_count = count(*)
by Esql.time_window_date_trunc, aws.cloudtrail.user_identity.arn
// filter for resources making DescribeInstances API calls in more than 10 regions within the 30-second window
| where Esql.cloud_region_count_distinct >= 10 and Esql.event_count >= 10
// sort the results by time window in descending order
| sort Esql.time_window_date_trunc desc