Elastic Security Detection Rules

AWS Service Quotas Multi-Region `GetServiceQuota` Requests

Last updated a month ago on 2025-07-16
Created a year ago on 2024-08-26

About

Identifies when a single AWS resource is making `GetServiceQuota` API calls for the EC2 service quota L-1216C47A in more than 10 regions within a 30-second window. Quota code L-1216C47A represents on-demand instances which are used by adversaries to deploy malware and mine cryptocurrency. This could indicate a potential threat actor attempting to discover the AWS infrastructure across multiple regions using compromised credentials or a compromised instance.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS Service QuotasUse Case: Threat DetectionTactic: DiscoveryLanguage: esql
Severity
low
Risk Score
21
MITRE ATT&CK™

Discovery (TA0007)(opens in a new tab or window)

Cloud Infrastructure Discovery (T1580)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

(opens in a new tab or window)

Query
from logs-aws.cloudtrail-*

// filter for GetServiceQuota API calls
| where
  event.dataset == "aws.cloudtrail"
  and event.provider == "servicequotas.amazonaws.com"
  and event.action == "GetServiceQuota"

// truncate the timestamp to a 30-second window
| eval Esql.time_window_date_trunc = date_trunc(30 seconds, @timestamp)

// dissect request parameters to extract service and quota code
| dissect aws.cloudtrail.request_parameters "{%{?Esql.aws_cloudtrail_request_parameters_service_code_key}=%{Esql.aws_cloudtrail_request_parameters_service_code}, %{?quota_code_key}=%{Esql.aws_cloudtrail_request_parameters_quota_code}}"

// filter for EC2 service quota L-1216C47A (vCPU on-demand instances)
| where Esql.aws_cloudtrail_request_parameters_service_code == "ec2" and Esql.aws_cloudtrail_request_parameters_quota_code == "L-1216C47A"

// keep only the relevant fields
| keep
    Esql.time_window_date_trunc,
    aws.cloudtrail.user_identity.arn,
    cloud.region,
    Esql.aws_cloudtrail_request_parameters_service_code,
    Esql.aws_cloudtrail_request_parameters_quota_code

// count the number of unique regions and total API calls within the time window
| stats
    Esql.cloud_region_count_distinct = count_distinct(cloud.region),
    Esql.event_count = count(*)
  by Esql.time_window_date_trunc, aws.cloudtrail.user_identity.arn

// filter for API calls in more than 10 regions within the 30-second window
| where
  Esql.cloud_region_count_distinct >= 10
  and Esql.event_count >= 10

// sort by time window descending
| sort Esql.time_window_date_trunc desc

Install detection rules in Elastic Security

Detect AWS Service Quotas Multi-Region `GetServiceQuota` Requests in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).