<  Back to rules search

AWS EC2 instance participating in a DoS attack

guardduty

Classification:

attack

Tactic:

TA0040-impact

Technique:

T1496-resource-hijacking

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

WARNING: This rule is being deprecated on 6 March 2023.

  • Cloud SIEM team performs a regular audit of all detection rules to maintain high signal quality. We will be replacing this rule with an improved third party detection rule after the deprecation date. This rule will allow you to receive coverage with all GuardDuty detections and correlate them with other security signals fired.

Goal

Detect when an EC2 instance is participating in a Denial of Service (DoS) attack.

Strategy

This rule lets you monitor these GuardDuty integration findings:

Triage and response

  1. Determine if the EC2 instance is compromised and participating in a DoS attack.
  2. If the instance is compromised:
    • Review the AWS documentation on remediating a compromised EC2 instance.

Changelog

1 November 2022 - Updated links.