Elastic Security Detection Rules

AWS SSM Inventory Reconnaissance by Rare User

Last updated 7 days ago on 2026-02-18
Created 14 days ago on 2026-02-11

About

Detects the rare occurrence of a user or role accessing AWS Systems Manager (SSM) inventory APIs or running the AWS-GatherSoftwareInventory job. These APIs reveal detailed information about managed EC2 instances including installed software, patch compliance status, and command execution history. Adversaries may use these calls to collect software inventory while blending in with legitimate AWS operations. This is a New Terms rule that detects when a user accesses these reconnaissance APIs for the first time.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS SSMUse Case: Threat DetectionTactic: DiscoveryLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Discovery (TA0007)(external, opens in a new tab or window)

Cloud Service Dashboard (T1538)(external, opens in a new tab or window)

Cloud Infrastructure Discovery (T1580)(external, opens in a new tab or window)

False Positive Examples
Legitimate administrators or automation tools may access SSM inventory APIs for asset management or compliance purposes. Verify whether the user identity should be using these APIs. If known behavior is causing false positives, add exceptions.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
event.dataset: "aws.cloudtrail"
    and event.provider: "ssm.amazonaws.com"
    and (
        event.action: ("GetInventory" or "GetInventorySchema" or "ListInventoryEntries" or "DescribeInstancePatches" or "ListCommands")
        or (event.action: "CreateAssociation"
            and aws.cloudtrail.request_parameters: *AWS-GatherSoftwareInventory*)
    )
    and not aws.cloudtrail.user_identity.type : "AWSService" 
    and event.outcome: "success"

Install detection rules in Elastic Security

Detect AWS SSM Inventory Reconnaissance by Rare User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).