Elastic Security Detection Rules

AWS Discovery API Calls from VPN ASN for the First Time by Identity

Last updated a month ago on 2026-04-03
Created a month ago on 2026-04-03

About

Flags the first time a given IAM principal invokes a narrow set of high-signal discovery APIs (credential check, account and IAM enumeration, bucket and compute inventory, logging introspection) from a source IP whose autonomous system number (ASN) matches a curated set commonly associated with consumer VPN brands, VPN-heavy hosting, and provider networks referenced in public reporting on TeamPCP activity (for example 31173 Services AB AS39351 and Oy Crea Nova Hosting Solution Ltd). Broad `List*`/`Describe*` patterns are intentionally omitted to reduce noise. Hosting ASNs are heavily dual-use; validate `source.as.number` in your data and extend `event.action` only when your baseline allows it.
Tags
Domain: CloudDomain: IdentityData Source: AWSData Source: Amazon Web ServicesData Source: AWS CloudTrailUse Case: Threat DetectionTactic: DiscoveryLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Discovery (TA0007)(external, opens in a new tab or window)

Cloud Service Discovery (T1526)(external, opens in a new tab or window)

Cloud Infrastructure Discovery (T1580)(external, opens in a new tab or window)

False Positive Examples
Administrators, developers, CI runners, and SaaS egress often exit through Datacamp, M247, Vultr, Linode, or brand-name VPN ASNs. Expect more noise on hosting ASNs than on VPN-only registrations. Exclude approved principals, accounts, CIDRs, or ASNs after review. GeoIP and ASN enrichment gaps (`source.as.number` unset) will skip events entirely. Maintain the ASN list with local intelligence (for example RIPE, BGPView, or peeringdb).
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
event.dataset: "aws.cloudtrail"
    and event.outcome: "success"
    and aws.cloudtrail.user_identity.arn:(* and not *AWSServiceRoleForConfig*)
    and not aws.cloudtrail.user_identity.type: "AWSService"
    and event.provider: (
        "sts.amazonaws.com" or
        "iam.amazonaws.com" or
        "s3.amazonaws.com" or
        "ec2.amazonaws.com" or
        "lambda.amazonaws.com" or
        "rds.amazonaws.com" or
        "dynamodb.amazonaws.com" or
        "kms.amazonaws.com" or
        "cloudtrail.amazonaws.com"
    )
    and event.action: (
        "GetCallerIdentity" or
        "ListUsers" or
        "ListRoles" or
        "ListAccessKeys" or
        "GetAccountSummary" or
        "ListAccountAliases" or
        "ListGroups" or
        "ListMFADevices" or
        "ListBuckets" or
        "DescribeInstances" or
        "DescribeRegions" or
        "DescribeVpcs" or
        "DescribeSecurityGroups" or
        "ListFunctions" or
        "DescribeDBInstances" or
        "DescribeDBSnapshots" or
        "ListTables" or
        "ListKeys" or
        "ListAliases" or
        "DescribeTrails" or
        "LookupEvents"
    )
    and source.as.number: (
        216025 or
        57138 or
        207137 or
        212238 or
        199218 or
        209103 or
        209854 or
        141039 or
        147049 or
        53314 or
        60068 or
        9009 or
        20473 or
        63949 or
        39351 or
        51765 or
        204187 or 
        29066 or 
        206092
    )

Install detection rules in Elastic Security

Detect AWS Discovery API Calls from VPN ASN for the First Time by Identity in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).