Elastic Security Detection Rules

AWS Lambda Event Source Mapping Creation

Last updated 6 days ago on 2026-06-18
Created 6 days ago on 2026-06-18

About

Identifies the creation of an AWS Lambda event source mapping, which connects an event source such as an Amazon SQS queue, an Amazon Kinesis or DynamoDB stream, an Amazon MSK or self-managed Apache Kafka topic, or an Amazon MQ broker to a Lambda function so the function is automatically invoked when new records arrive. Adversaries with "lambda:CreateEventSourceMapping" permissions can abuse this to establish stealthy, event-driven persistence and execution, or to continuously siphon records from a stream or queue into attacker-controlled function code. Because the function then runs on its own whenever the source produces events, this grants durable execution without any further interactive activity by the adversary.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS CloudTrailData Source: AWS LambdaUse Case: Threat DetectionTactic: PersistenceLanguage: kuery
Severity
low
Risk Score
21
MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

Event Triggered Execution (T1546)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

Serverless Execution (T1648)(external, opens in a new tab or window)

Defense Evasion (TA0005)(external, opens in a new tab or window)

Modify Cloud Compute Infrastructure (T1578)(external, opens in a new tab or window)

False Positive Examples
Application teams and infrastructure-as-code pipelines routinely create event source mappings to wire data pipelines, queue consumers, and stream processors to Lambda functions. Verify whether the principal in `aws.cloudtrail.user_identity.arn`, the function, and the event source are expected for the workload. Known deployment roles and automation can be excluded after validation.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset: "aws.cloudtrail"
    and event.provider: "lambda.amazonaws.com"
    and event.action: CreateEventSourceMapping*
    and event.outcome: "success"

Install detection rules in Elastic Security

Detect AWS Lambda Event Source Mapping Creation in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).