API

Anomalous amount of Autoscaling Group events

Docs > Datadog Security > OOTB Rules > Anomalous amount of Autoscaling Group events

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when an attacker is attempting to hijack an EC2 AutoScaling Group.

Strategy

This rule lets you monitor AWS EC2 Autoscaling logs (@eventSource:autoscaling.amazonaws.com) to detect when an Autoscaling group receives an anomalous amount of API calls ({{@evt.name}}).

Triage and response

Confirm if the user {{@userIdentity.arn}} intended to make the {{@evt.name}} API calls.
If the user did not make the API calls:
- Rotate the credentials.
- Investigate if the same credentials made other unauthorized API calls.