Unusual AWS enumeration event from EC2 instance
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect when a previously unseen EC2 instance enumerates resources within AWS.
Strategy
This rule lets you monitor Amazon EC2 instances to detect when any Get
, List
, or Describe
API call is observed. It does this by inspecting the EC2 instance roles (@userIdentity.assumed_role
) performing actions within your AWS account over a 7-day window. Newly detected instance roles after this 7-day window will generate security signals.
Triage and response
- Determine whether the activity from the role:
{{@userIdentity.assumed_role}}
attached to EC2 instance: {{@host}}
is expected. - If the action is legitimate, consider including the EC2 instance in a suppression list. See Best practices for creating detection rules with Datadog Cloud SIEM for more information.
- If the action shouldn’t have been happened:
- Contact the owner of the instance:
{{@host}}
and see if they made the API call. - Use the Host Investigation dashboard to see if the host:
{{@host}}
has taken other actions. - Use the Cloud SIEM - IP Investigation dashboard to see if there’s more traffic from the IP:
{{@network.client.ip}}
.
- If the results of the triage indicate that an attacker has taken the action, begin your company’s incident response process as well as an investigation.