Anomalous amount of Autoscaling Group events


Detect when an attacker is attempting to hijack an EC2 AutoScaling Group.


This rule lets you monitor AWS EC2 Autoscaling logs ( to detect when an Autoscaling group receives an anomalous amount of API calls ({{}}).

Triage and response

  1. Confirm if the user {{@userIdentity.arn}} intended to make the {{}} API calls.
  2. If the user did not make the API calls:
    • Rotate the credentials.
    • Investigate if the same credentials made other unauthorized API calls.