High volume of AWS Sagemaker notebooks created in a short period of time
Goal
Detects high volume of AWS SageMaker notebook instances created by a single user identity in a short time window.
Strategy
This rule monitors AWS CloudTrail logs for CreateNotebookInstance API calls to sagemaker.amazonaws.com. The detection triggers when a single identity ARN creates more than 10 notebook instances within a 5-minute window. SageMaker notebook instances provide on-demand compute resources that attackers target for cryptomining operations after compromising AWS credentials. Rapid creation of multiple notebook instances is unusual for legitimate use and often indicates an attacker attempting to maximize compute resources before detection.
Triage & Response
- Examine the identity
{{@userIdentity.arn}} to determine if the user or role has a legitimate reason to create multiple SageMaker notebook instances. - Review the AWS account and region where the notebook instances were created to identify any unusual geographic patterns.
- Check for other suspicious API calls from the same identity ARN around the time of the notebook creation events.
- Identify the instance types requested for the notebooks to determine if they are high-compute instances typically used for cryptomining.
- Disable or rotate credentials for the affected identity if the activity is determined to be unauthorized.
