AWS EC2 new event for application

cloudtrail

Goal

Detects when an application on a host has a new, unrecognized API call.

Strategy

Using the New Value detection method, find when an application has a new @evt.name on a host.

Triage and response

  1. Determine if the host: {{host}} running the application: {{application}} should have done the following event(s){{@evt.name}}:
    • If yes, you can Archive the signal.
    • If no, investigate further by clicking on the Suggested Actions tab for the signal
  2. If necessary, initiate your company’s incident response process.

Changelog

  • 14 November 2022 - Updated severity.