Unusual City For an AWS Command

Last updated a year ago on 2024-06-18

Created 5 years ago on 2020-07-13

About

A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).

Tags: Domain: CloudData Source: AWSData Source: Amazon Web ServicesRule Type: MLRule Type: Machine Learning
Severity: low
Risk Score: 21
False Positive Examples: New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently.
License: Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Machine Learning
Integration Pack: Prebuilt Security Detection Rules
Related Integrations: aws(opens in a new tab or window)
Query

Install detection rules in Elastic Security

Detect Unusual City For an AWS Command in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).