LoFP LoFP / there are legitimate uses of ssm to send commands to ec2 instances

Techniques

Sample rules

Potential Malicious Usage of CloudTrail System Manager

Description

Detect when System Manager successfully executes commands against an instance.

Detection logic

condition: selection
selection:
  eventName: SendCommand
  eventSource: ssm.amazonaws.com
  responseElements.command.status: Success