Unusual AWS Command for a User

Last updated a year ago on 2024-06-18

Created 5 years ago on 2020-07-13

About

A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.

Tags: Domain: CloudData Source: AWSData Source: Amazon Web ServicesRule Type: MLRule Type: Machine Learning
Severity: low
Risk Score: 21
False Positive Examples: New or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used.
License: Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Machine Learning
Integration Pack: Prebuilt Security Detection Rules
Related Integrations: aws(opens in a new tab or window)
Query

Install detection rules in Elastic Security

Detect Unusual AWS Command for a User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).