Amazon EC2 AWS-ec2

54 operations, identified by eventName in the audit log.

eventName	Description
_catch_all	Catch-all entry for AWS-ec2 rules that match the service but not a specific eventName.
AssociateIamInstanceProfile	Associates an IAM instance profile with a running or stopped EC2 instance.
AuthorizeSecurityGroupEgress	Adds outbound rules to a security group to allow traffic to the specified destination.
AuthorizeSecurityGroupIngress	Adds inbound rules to a security group to allow traffic from the specified source.
CreateInstanceExportTask	Exports a running or stopped EC2 instance to an Amazon S3 bucket in OVA, VHD, or VMDK format.
CreateKeyPair	Creates an ED25519 or 2048-bit RSA key pair and stores the public key in EC2, returning the private key material.
CreateNetworkAcl	Creates a new network ACL in the specified VPC.
CreateNetworkAclEntry	Creates an entry (rule) in a network ACL with the specified rule number, protocol, and traffic action.
CreateRoute	Creates a route in a route table within a VPC, specifying the destination CIDR and target.
CreateRouteTable	Creates a route table for the specified VPC.
CreateSecurityGroup	Creates a security group in a specified VPC or for EC2-Classic.
CreateStoreImageTask	Stores an Amazon Machine Image (AMI) as a single object in an Amazon S3 bucket.
CreateTrafficMirrorSession	Creates a traffic mirror session that copies network traffic from a source network interface to a target.
DeleteFlowLogs	Deletes one or more VPC flow logs.
DeleteNetworkAcl	Deletes the specified network ACL, which must not be associated with any subnets.
DeleteNetworkAclEntry	Deletes the specified ingress or egress entry (rule) from the specified network ACL.
DeleteRoute	Deletes the specified route from the specified route table.
DeleteRouteTable	Deletes the specified route table, which must not be associated with any subnet.
DescribeCarrierGateways	Describes one or more carrier gateways associated with a VPC.
DescribeClientVpnRoutes	Describes the routes for a specified Client VPN endpoint.
DescribeDhcpOptions	Describes one or more DHCP options sets in the account.
DescribeImages	Describes one or more Amazon Machine Images (AMIs) available to the account.
DescribeInstanceAttribute	Describes the specified attribute of the specified EC2 instance.
DescribeInstances	Returns detailed information about one or more EC2 instances, including their state, type, network interfaces, and associated metadata.
DescribeRegions	Returns the AWS regions that are enabled for the caller's account, or all regions that are available to EC2.
DescribeSecurityGroups	Returns information about one or more EC2 security groups, including their inbound and outbound rules.
DescribeSnapshotAttribute	Describes the specified attribute of the specified EBS snapshot.
DescribeSnapshotTierStatus	Describes the storage tier status of one or more EBS snapshots.
DescribeTransitGatewayMulticastDomains	Describes one or more transit gateway multicast domains.
DescribeVolumes	Describes the specified EBS volumes or all EBS volumes in the account.
DescribeVolumesModifications	Describes the most recent volume modification request for the specified EBS volumes.
DescribeVpcEndpointConnectionNotifications	Describes the connection notifications for VPC endpoints and VPC endpoint services.
DescribeVpcs	Returns information about one or more VPCs in the account, including their CIDR blocks, state, and associated attributes.
DisableEbsEncryptionByDefault	Disables default EBS encryption for EBS volumes created in the current account and Region.
DisassociateRouteTable	Disassociates a subnet or gateway from a route table.
EnableSerialConsoleAccess	Enables access to the EC2 serial console for EC2 instances in the current account and Region.
ExportImage	Exports an Amazon Machine Image (AMI) to an Amazon S3 bucket.
GetBucketReplication	Retrieves the replication configuration of the specified Amazon S3 bucket via an EC2 VPC endpoint.
GetEbsDefaultKmsKeyId	Retrieves the default KMS key ID used for EBS encryption in the current Region.
GetEbsEncryptionByDefault	Retrieves the default EBS encryption setting for the current account and Region.
GetPasswordData	Retrieves the encrypted administrator password for a Windows instance.
GetTransitGatewayRouteTableAssociations	Gets information about the route table associations for the specified transit gateway route table.
ImportKeyPair	Imports the public key from an RSA or ED25519 key pair that you created with a third-party tool.
ModifyImageAttribute	Modifies the specified attribute of the specified AMI, such as launch permissions or description.
ModifyInstanceAttribute	Modifies the specified attribute of the specified EC2 instance, such as instance type or user data.
ModifySecurityGroupRules	Modifies the rules of a security group.
ModifySnapshotAttribute	Adds or removes permission settings for the specified EBS snapshot, such as sharing it with other accounts.
ReplaceIamInstanceProfile	Replaces the IAM instance profile associated with the specified EC2 instance.
ReplaceRoute	Replaces an existing route within a route table in a VPC.
ReplaceRouteTableAssociation	Changes the route table associated with a given subnet, internet gateway, or virtual private gateway in a VPC.
RevokeSecurityGroupEgress	Removes outbound rules from a security group.
RevokeSecurityGroupIngress	Removes inbound rules from a security group.
StartInstances	Starts one or more stopped EC2 instances, transitioning them to the running state.
StopInstances	Stops one or more running EC2 instances, transitioning them to the stopped state.

_catch_all: AWS-ec2 (catch-all)

Service: AWS-ec2

Description

Catch-all entry for AWS-ec2 rules that match the service but not a specific eventName.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

AssociateIamInstanceProfile

Service: AWS-ec2

Description

Associates an IAM instance profile with a running or stopped EC2 instance.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EC2 Instance Profile Associated with Running Instance source high: Identifies when an IAM instance profile is associated with a running EC2 instance or replaces the existing association. These APIs change which role credentials the instance obtains via the instance metadata service without terminating the instance. Attackers who can call AssociateIamInstanceProfile or ReplaceIamInstanceProfile may attach a more privileged role to a workload they control, enabling privilege escalation or lateral movement from the instance.↳ also matches ReplaceIamInstanceProfile

AuthorizeSecurityGroupEgress

Service: AWS-ec2

Description

Adds outbound rules to a security group to allow traffic to the specified destination.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`ModifyInstanceAttribute`	1 rule	elastic
`aws::eventName`	eq	`AuthorizeSecurityGroupIngress`	1 rule	sigma
`aws::eventSource`	eq	`ec2.amazonaws.com`	1 rule	panther, sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

Ingress/Egress Security Group Modification source medium: Detects when an account makes changes to the ingress or egress rules of a security group. This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.↳ also matches AuthorizeSecurityGroupIngress, RevokeSecurityGroupEgress, RevokeSecurityGroupIngress

Elastic #

AWS EC2 Security Group Configuration Change source low: Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.↳ also matches AuthorizeSecurityGroupIngress, CreateSecurityGroup, ModifyInstanceAttribute, ModifySecurityGroupRules, RevokeSecurityGroupEgress, RevokeSecurityGroupIngress

AuthorizeSecurityGroupIngress

Service: AWS-ec2

Description

Adds inbound rules to a security group to allow traffic from the specified source.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`ec2.amazonaws.com`	2 rules	elastic
`aws::eventName`	eq	`AuthorizeSecurityGroupIngress`	2 rules	sigma
`aws::eventSource`	eq	`ec2.amazonaws.com`	2 rules	panther, sigma, splunk
`EventType`	eq	`ModifyInstanceAttribute`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Sigma #

Ingress Port 22 Opened source medium: Ingress port 22 was opened in a security group for an EC2 instance. This is a common tactic used by attackers to establish access into the environment via SSH for a variety of reasons (exfil, etc...).
Ingress/Egress Security Group Modification source medium: Detects when an account makes changes to the ingress or egress rules of a security group. This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.↳ also matches AuthorizeSecurityGroupEgress, RevokeSecurityGroupEgress, RevokeSecurityGroupIngress

Elastic #

Insecure AWS EC2 VPC Security Group Ingress Rule Added source medium: Identifies when a specified inbound (ingress) rule is added or adjusted for a VPC security group in AWS EC2. This rule detects when a security group rule is added that allows traffic from any IP address or from a specific IP address to common remote access ports, such as 22 (SSH) or 3389 (RDP). Adversaries may add these rules to allow remote access to VPC instances from any location, increasing the attack surface and potentially exposing the instances to unauthorized access.
AWS EC2 Security Group Configuration Change source low: Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.↳ also matches AuthorizeSecurityGroupEgress, CreateSecurityGroup, ModifyInstanceAttribute, ModifySecurityGroupRules, RevokeSecurityGroupEgress, RevokeSecurityGroupIngress

YARA-L #

AWS Security Group Open To The World source: Detect when an AWS security group is opened to the world (0.0.0.0/0) or (::/0)

CreateInstanceExportTask

Service: AWS-ec2

Description

Exports a running or stopped EC2 instance to an Amazon S3 bucket in OVA, VHD, or VMDK format.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Sigma #

AWS EC2 VM Export Failure source low: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.

Elastic #

AWS EC2 Export Task source medium: Identifies successful export tasks of EC2 instances via the APIs CreateInstanceExportTask, ExportImage, or CreateStoreImageTask. These exports can be used by administrators for legitimate VM migration or backup workflows however, an attacker with access to an EC2 instance or AWS credentials can export a VM or its image and then transfer it off-account for exfiltration of data.↳ also matches CreateStoreImageTask, ExportImage

CreateKeyPair

Service: AWS-ec2

Description

Creates an ED25519 or 2048-bit RSA key pair and stores the public key in EC2, returning the private key material.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`source.as.organization.name`	is_not_null		1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization source medium: Identifies the first time a given IAM principal successfully creates an EC2 key pair when the request is sourced from a network whose autonomous system organization is not attributed to common cloud or hyperscaler providers in your GeoIP data. Adversaries may call CreateKeyPair to stage SSH access material before launching or accessing instances. A new terms baseline on user_identity.arn suppresses repeated noise from the same principal while still surfacing the initial suspicious creation from an unusual egress label.

CreateNetworkAcl

Service: AWS-ec2

Description

Creates a new network ACL in the specified VPC.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EC2 Network Access Control List Creation source low: Identifies the creation of an AWS EC2 network access control list (ACL) or an entry in a network ACL with a specified rule number. Adversaries may exploit ACLs to establish persistence or exfiltrate data by creating permissive rules.↳ also matches CreateNetworkAclEntry

CreateNetworkAclEntry

Service: AWS-ec2

Description

Creates an entry (rule) in a network ACL with the specified rule number, protocol, and traffic action.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::eventName`	eq	`CreateNetworkAclEntry`	1 rule	sigma, splunk
`aws::eventSource`	eq	`ec2.amazonaws.com`	1 rule	panther, sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

New Network ACL Entry Added source low: Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.

Elastic #

AWS EC2 Network Access Control List Creation source low: Identifies the creation of an AWS EC2 network access control list (ACL) or an entry in a network ACL with a specified rule number. Adversaries may exploit ACLs to establish persistence or exfiltrate data by creating permissive rules.↳ also matches CreateNetworkAcl

CreateRoute

Service: AWS-ec2

Description

Creates a route in a route table within a VPC, specifying the destination CIDR and target.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::eventSource`	eq	`ec2.amazonaws.com`	1 rule	panther, sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

New Network Route Added source medium: Detects the addition of a new network route to a route table in AWS.

Elastic #

AWS EC2 Route Table Created source low: Identifies when an EC2 Route Table has been created. Route tables can be used by attackers to disrupt network traffic, reroute communications, or maintain persistence in a compromised environment. This is a New Terms rule that detects the first instance of this behavior by a user or role.↳ also matches CreateRouteTable

CreateRouteTable

Service: AWS-ec2

Description

Creates a route table for the specified VPC.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EC2 Route Table Created source low: Identifies when an EC2 Route Table has been created. Route tables can be used by attackers to disrupt network traffic, reroute communications, or maintain persistence in a compromised environment. This is a New Terms rule that detects the first instance of this behavior by a user or role.↳ also matches CreateRoute

CreateSecurityGroup

Service: AWS-ec2

Description

Creates a security group in a specified VPC or for EC2-Classic.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`ModifyInstanceAttribute`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EC2 Security Group Configuration Change source low: Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.↳ also matches AuthorizeSecurityGroupEgress, AuthorizeSecurityGroupIngress, ModifyInstanceAttribute, ModifySecurityGroupRules, RevokeSecurityGroupEgress, RevokeSecurityGroupIngress

CreateStoreImageTask

Service: AWS-ec2

Description

Stores an Amazon Machine Image (AMI) as a single object in an Amazon S3 bucket.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EC2 Export Task source medium: Identifies successful export tasks of EC2 instances via the APIs CreateInstanceExportTask, ExportImage, or CreateStoreImageTask. These exports can be used by administrators for legitimate VM migration or backup workflows however, an attacker with access to an EC2 instance or AWS credentials can export a VM or its image and then transfer it off-account for exfiltration of data.↳ also matches CreateInstanceExportTask, ExportImage

CreateTrafficMirrorSession

Service: AWS-ec2

Description

Creates a traffic mirror session that copies network traffic from a source network interface to a target.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EC2 Full Network Packet Capture Detected source medium: Detects successful creation of an Amazon EC2 Traffic Mirroring session. A session copies full packets from a source Elastic Network Interface (ENI) to a mirror target (e.g., an ENI or NLB) using a mirror filter (ingress/egress rules). While used for diagnostics and NDR/IDS tooling, adversaries can abuse sessions to covertly capture and exfiltrate sensitive, potentially unencrypted, traffic from instances or subnets.

DeleteFlowLogs

Service: AWS-ec2

Description

Deletes one or more VPC flow logs.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`ec2.amazonaws.com`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS VPC Flow Logs Deletion source high: Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses.

YARA-L #

AWS Delete VPC Flow Logs source: Detects when AWS VPC FLow Logs are deleted.

DeleteNetworkAcl

Service: AWS-ec2

Description

Deletes the specified network ACL, which must not be associated with any subnets.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`ec2.amazonaws.com`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EC2 Network Access Control List Deletion source medium: Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries.↳ also matches DeleteNetworkAclEntry

DeleteNetworkAclEntry

Service: AWS-ec2

Description

Deletes the specified ingress or egress entry (rule) from the specified network ACL.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`ec2.amazonaws.com`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EC2 Network Access Control List Deletion source medium: Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries.↳ also matches DeleteNetworkAcl

DeleteRoute

Service: AWS-ec2

Description

Deletes the specified route from the specified route table.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EC2 Route Table Modified or Deleted source low: Identifies AWS CloudTrail events where an EC2 route table or association has been modified or deleted. Route table or association modifications can be used by attackers to disrupt network traffic, reroute communications, or maintain persistence in a compromised environment. This is a New Terms rule that detects the first instance of this behavior by a user or role.↳ also matches DeleteRouteTable, DisassociateRouteTable, ReplaceRoute, ReplaceRouteTableAssociation

DeleteRouteTable

Service: AWS-ec2

Description

Deletes the specified route table, which must not be associated with any subnet.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EC2 Route Table Modified or Deleted source low: Identifies AWS CloudTrail events where an EC2 route table or association has been modified or deleted. Route table or association modifications can be used by attackers to disrupt network traffic, reroute communications, or maintain persistence in a compromised environment. This is a New Terms rule that detects the first instance of this behavior by a user or role.↳ also matches DeleteRoute, DisassociateRouteTable, ReplaceRoute, ReplaceRouteTableAssociation

DescribeCarrierGateways

Service: AWS-ec2

Description

Describes one or more carrier gateways associated with a VPC.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

DescribeClientVpnRoutes

Service: AWS-ec2

Description

Describes the routes for a specified Client VPN endpoint.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

DescribeDhcpOptions

Service: AWS-ec2

Description

Describes one or more DHCP options sets in the account.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

DescribeImages

Service: AWS-ec2

Description

Describes one or more Amazon Machine Images (AMIs) available to the account.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`ec2.amazonaws.com`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EC2 Deprecated AMI Discovery source low: Identifies when a user has queried for deprecated Amazon Machine Images (AMIs) in AWS. This may indicate an adversary looking for outdated AMIs that may be vulnerable to exploitation. While deprecated AMIs are not inherently malicious or indicative of a breach, they may be more susceptible to vulnerabilities and should be investigated for potential security risks.

DescribeInstanceAttribute

Service: AWS-ec2

Description

Describes the specified attribute of the specified EC2 instance.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EC2 User Data Retrieval for EC2 Instance source medium: Identifies discovery request DescribeInstanceAttribute with the attribute userData and instanceId in AWS CloudTrail logs. This may indicate an attempt to retrieve user data from an EC2 instance. Adversaries may use this information to gather sensitive data from the instance such as hardcoded credentials or to identify potential vulnerabilities. This is a New Terms rule that identifies the first time an IAM user or role requests the user data for a specific EC2 instance.

DescribeInstances

Service: AWS-ec2

Description

Returns detailed information about one or more EC2 instances, including their state, type, network interfaces, and associated metadata.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Esql.cloud_region_count_distinct`	ge	`10`	1 rule	elastic
`Esql.event_count`	ge	`10`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EC2 Multi-Region DescribeInstances API Calls source low: Identifies when a single AWS resource is making DescribeInstances API calls in more than 10 regions within a 30-second window. This could indicate a potential threat actor attempting to discover the AWS infrastructure across multiple regions using compromised credentials or a compromised instance. Adversaries may use this information to identify potential targets for further exploitation or to gain a better understanding of the target's infrastructure.

DescribeRegions

Service: AWS-ec2

Description

Returns the AWS regions that are enabled for the caller's account, or all regions that are available to EC2.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

DescribeSecurityGroups

Service: AWS-ec2

Description

Returns information about one or more EC2 security groups, including their inbound and outbound rules.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

DescribeSnapshotAttribute

Service: AWS-ec2

Description

Describes the specified attribute of the specified EBS snapshot.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

DescribeSnapshotTierStatus

Service: AWS-ec2

Description

Describes the storage tier status of one or more EBS snapshots.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

DescribeTransitGatewayMulticastDomains

Service: AWS-ec2

Description

Describes one or more transit gateway multicast domains.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

DescribeVolumes

Service: AWS-ec2

Description

Describes the specified EBS volumes or all EBS volumes in the account.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

DescribeVolumesModifications

Service: AWS-ec2

Description

Describes the most recent volume modification request for the specified EBS volumes.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

DescribeVpcEndpointConnectionNotifications

Service: AWS-ec2

Description

Describes the connection notifications for VPC endpoints and VPC endpoint services.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

DescribeVpcs

Service: AWS-ec2

Description

Returns information about one or more VPCs in the account, including their CIDR blocks, state, and associated attributes.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

DisableEbsEncryptionByDefault

Service: AWS-ec2

Description

Disables default EBS encryption for EBS volumes created in the current account and Region.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::eventName`	eq	`DisableEbsEncryptionByDefault`	1 rule	panther, sigma
`aws::eventSource`	eq	`ec2.amazonaws.com`	1 rule	panther, sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

AWS EC2 Disable EBS Encryption source medium: Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes.

Elastic #

AWS EC2 Encryption Disabled source medium: Detects when Amazon Elastic Block Store (EBS) encryption by default is disabled in an AWS region. EBS encryption ensures that newly created volumes and snapshots are automatically protected with AWS Key Management Service (KMS) keys. Disabling this setting introduces significant risk as all future volumes created in that region will be unencrypted by default, potentially exposing sensitive data at rest. Adversaries may disable encryption to weaken data protection before exfiltrating or tampering with EBS volumes or snapshots. This may be a step in preparation for data theft or ransomware-style attacks that depend on unencrypted volumes.

DisassociateRouteTable

Service: AWS-ec2

Description

Disassociates a subnet or gateway from a route table.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EC2 Route Table Modified or Deleted source low: Identifies AWS CloudTrail events where an EC2 route table or association has been modified or deleted. Route table or association modifications can be used by attackers to disrupt network traffic, reroute communications, or maintain persistence in a compromised environment. This is a New Terms rule that detects the first instance of this behavior by a user or role.↳ also matches DeleteRoute, DeleteRouteTable, ReplaceRoute, ReplaceRouteTableAssociation

EnableSerialConsoleAccess

Service: AWS-ec2

Description

Enables access to the EC2 serial console for EC2 instances in the current account and Region.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`ec2.amazonaws.com`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EC2 Serial Console Access Enabled source high: Detects when EC2 Serial Console Access is enabled for an AWS account. The EC2 Serial Console provides direct, text-based access to an instance's serial port, bypassing the network layer entirely. While useful for troubleshooting boot issues or network misconfigurations, enabling serial console access in production environments is rare and potentially dangerous. Adversaries may enable this feature to establish an out-of-band communication channel that evades network-based security monitoring, firewalls, and VPC controls. This access method can be used for persistent backdoor access or to interact with compromised instances without triggering network-based detection mechanisms.

ExportImage

Service: AWS-ec2

Description

Exports an Amazon Machine Image (AMI) to an Amazon S3 bucket.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EC2 Export Task source medium: Identifies successful export tasks of EC2 instances via the APIs CreateInstanceExportTask, ExportImage, or CreateStoreImageTask. These exports can be used by administrators for legitimate VM migration or backup workflows however, an attacker with access to an EC2 instance or AWS credentials can export a VM or its image and then transfer it off-account for exfiltration of data.↳ also matches CreateInstanceExportTask, CreateStoreImageTask

GetBucketReplication

Service: AWS-ec2

Description

Retrieves the replication configuration of the specified Amazon S3 bucket via an EC2 VPC endpoint.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

GetEbsDefaultKmsKeyId

Service: AWS-ec2

Description

Retrieves the default KMS key ID used for EBS encryption in the current Region.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

GetEbsEncryptionByDefault

Service: AWS-ec2

Description

Retrieves the default EBS encryption setting for the current account and Region.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

GetPasswordData

Service: AWS-ec2

Description

Retrieves the encrypted administrator password for a Windows instance.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::eventName`	eq	`GetPasswordData`	2 rules	panther, sigma, splunk
`aws::eventSource`	eq	`ec2.amazonaws.com`	2 rules	panther, sigma, splunk
`Provider_Name`	eq	`ec2.amazonaws.com`	1 rule	elastic
`aws::errorCode`	eq	`Client.UnauthorizedOperation`	1 rule	elastic, kusto, sigma
`aws::userIdentity.type`	eq	`AssumedRole`	1 rule	elastic, kusto, panther, sigma

Detection Rules #

View all rules referencing this event →

Sigma #

EC2 Password Data Retrieved source low: Detects retrieval or attempted retrieval of EC2 password data, which may indicate an attacker gaining access to an instance's password.

Elastic #

AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role source medium: Identifies the first occurrence of an unauthorized attempt by an AWS role to use GetPassword to access the administrator password of an EC2 instance. Adversaries may use this API call to escalate privileges or move laterally within EC2 instances.

Splunk #

AWS Credential Access GetPasswordData source: The following analytic identifies more than 10 GetPasswordData API calls within a 5-minute window in your AWS account. It leverages AWS CloudTrail logs to detect this activity by counting the distinct instance IDs accessed. This behavior…

YARA-L #

AWS EC2 Get Windows Admin Password source: Detects a successful attempt to retrieve the encrypted Administrator password for a Windows EC2 instance.

GetTransitGatewayRouteTableAssociations

Service: AWS-ec2

Description

Gets information about the route table associations for the specified transit gateway route table.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

ImportKeyPair

Service: AWS-ec2

Description

Imports the public key from an RSA or ED25519 key pair that you created with a third-party tool.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Sigma #

AWS Key Pair Import Activity source medium: Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.

ModifyImageAttribute

Service: AWS-ec2

Description

Modifies the specified attribute of the specified AMI, such as launch permissions or description.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::requestParameters`	contains	`add=`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EC2 AMI Shared with Another Account source medium: Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made publicly available accidentally as well.

YARA-L #

AWS EC2 AMI Or Snapshot Shared Publicly source: Detects when an Amazon EC2 AMI or Snapshot is shared publicly.↳ also matches ModifySnapshotAttribute

ModifyInstanceAttribute

Service: AWS-ec2

Description

Modifies the specified attribute of the specified EC2 instance, such as instance type or user data.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`ModifyInstanceAttribute`	2 rules	elastic
`Provider_Name`	eq	`ec2.amazonaws.com`	2 rules	elastic
`aws::eventName`	eq	`ModifyInstanceAttribute`	1 rule	panther, sigma
`aws::userIdentity.type`	ne	`AWSService`	1 rule	elastic, panther
`requestParameters.attribute`	eq	`userData`	1 rule	panther, sigma

Detection Rules #

View all rules referencing this event →

Sigma #

AWS EC2 Startup Shell Script Change source high: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.

Elastic #

AWS EC2 Stop, Start, and User Data Modification Correlation source high: Identifies a short sequence of EC2 management APIs against the same instance that is consistent with modifying instance user data and forcing it to run on the next boot: ModifyInstanceAttribute with user data, followed by stop and start. Adversaries may update userData and cycle instance state so malicious scripts execute as root on Linux or as the system context on Windows. This rule correlates successful StopInstances, StartInstances, and ModifyInstanceAttribute events that reference userData within a five-minute window, grouped by instance, user.name, account, source IP, and user agent. A hit requires exactly three distinct API names in that bucket.↳ also matches StartInstances, StopInstances
AWS EC2 Security Group Configuration Change source low: Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.↳ also matches AuthorizeSecurityGroupEgress, AuthorizeSecurityGroupIngress, CreateSecurityGroup, ModifySecurityGroupRules, RevokeSecurityGroupEgress, RevokeSecurityGroupIngress

YARA-L #

AWS EC2 User Data Modified source: Detect modifications to user data script on an EC2 instance.

ModifySecurityGroupRules

Service: AWS-ec2

Description

Modifies the rules of a security group.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`ModifyInstanceAttribute`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EC2 Security Group Configuration Change source low: Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.↳ also matches AuthorizeSecurityGroupEgress, AuthorizeSecurityGroupIngress, CreateSecurityGroup, ModifyInstanceAttribute, RevokeSecurityGroupEgress, RevokeSecurityGroupIngress

ModifySnapshotAttribute

Service: AWS-ec2

Description

Adds or removes permission settings for the specified EBS snapshot, such as sharing it with other accounts.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::eventName`	eq	`ModifySnapshotAttribute`	1 rule	panther, sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

AWS Snapshot Backup Exfiltration source medium: Detects the modification of an EC2 snapshot's permissions to enable access from another account

YARA-L #

AWS EC2 AMI Or Snapshot Shared Publicly source: Detects when an Amazon EC2 AMI or Snapshot is shared publicly.↳ also matches ModifyImageAttribute

ReplaceIamInstanceProfile

Service: AWS-ec2

Description

Replaces the IAM instance profile associated with the specified EC2 instance.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EC2 Instance Profile Associated with Running Instance source high: Identifies when an IAM instance profile is associated with a running EC2 instance or replaces the existing association. These APIs change which role credentials the instance obtains via the instance metadata service without terminating the instance. Attackers who can call AssociateIamInstanceProfile or ReplaceIamInstanceProfile may attach a more privileged role to a workload they control, enabling privilege escalation or lateral movement from the instance.↳ also matches AssociateIamInstanceProfile

ReplaceRoute

Service: AWS-ec2

Description

Replaces an existing route within a route table in a VPC.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EC2 Route Table Modified or Deleted source low: Identifies AWS CloudTrail events where an EC2 route table or association has been modified or deleted. Route table or association modifications can be used by attackers to disrupt network traffic, reroute communications, or maintain persistence in a compromised environment. This is a New Terms rule that detects the first instance of this behavior by a user or role.↳ also matches DeleteRoute, DeleteRouteTable, DisassociateRouteTable, ReplaceRouteTableAssociation

ReplaceRouteTableAssociation

Service: AWS-ec2

Description

Changes the route table associated with a given subnet, internet gateway, or virtual private gateway in a VPC.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EC2 Route Table Modified or Deleted source low: Identifies AWS CloudTrail events where an EC2 route table or association has been modified or deleted. Route table or association modifications can be used by attackers to disrupt network traffic, reroute communications, or maintain persistence in a compromised environment. This is a New Terms rule that detects the first instance of this behavior by a user or role.↳ also matches DeleteRoute, DeleteRouteTable, DisassociateRouteTable, ReplaceRoute

RevokeSecurityGroupEgress

Service: AWS-ec2

Description

Removes outbound rules from a security group.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`ModifyInstanceAttribute`	1 rule	elastic
`aws::eventName`	eq	`AuthorizeSecurityGroupIngress`	1 rule	sigma
`aws::eventSource`	eq	`ec2.amazonaws.com`	1 rule	panther, sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

Ingress/Egress Security Group Modification source medium: Detects when an account makes changes to the ingress or egress rules of a security group. This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.↳ also matches AuthorizeSecurityGroupEgress, AuthorizeSecurityGroupIngress, RevokeSecurityGroupIngress

Elastic #

AWS EC2 Security Group Configuration Change source low: Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.↳ also matches AuthorizeSecurityGroupEgress, AuthorizeSecurityGroupIngress, CreateSecurityGroup, ModifyInstanceAttribute, ModifySecurityGroupRules, RevokeSecurityGroupIngress

RevokeSecurityGroupIngress

Service: AWS-ec2

Description

Removes inbound rules from a security group.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::eventName`	eq	`AuthorizeSecurityGroupIngress`	1 rule	sigma
`aws::eventSource`	eq	`ec2.amazonaws.com`	1 rule	panther, sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

Ingress/Egress Security Group Modification source medium: Detects when an account makes changes to the ingress or egress rules of a security group. This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.↳ also matches AuthorizeSecurityGroupEgress, AuthorizeSecurityGroupIngress, RevokeSecurityGroupEgress

Elastic #

AWS EC2 Security Group Configuration Change source low: Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.↳ also matches AuthorizeSecurityGroupEgress, AuthorizeSecurityGroupIngress, CreateSecurityGroup, ModifyInstanceAttribute, ModifySecurityGroupRules, RevokeSecurityGroupEgress

StartInstances

Service: AWS-ec2

Description

Starts one or more stopped EC2 instances, transitioning them to the running state.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`ModifyInstanceAttribute`	1 rule	elastic
`aws::userIdentity.type`	ne	`AWSService`	1 rule	elastic, panther

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EC2 Stop, Start, and User Data Modification Correlation source high: Identifies a short sequence of EC2 management APIs against the same instance that is consistent with modifying instance user data and forcing it to run on the next boot: ModifyInstanceAttribute with user data, followed by stop and start. Adversaries may update userData and cycle instance state so malicious scripts execute as root on Linux or as the system context on Windows. This rule correlates successful StopInstances, StartInstances, and ModifyInstanceAttribute events that reference userData within a five-minute window, grouped by instance, user.name, account, source IP, and user agent. A hit requires exactly three distinct API names in that bucket.↳ also matches ModifyInstanceAttribute, StopInstances

StopInstances

Service: AWS-ec2

Description

Stops one or more running EC2 instances, transitioning them to the stopped state.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`ModifyInstanceAttribute`	1 rule	elastic
`aws::userIdentity.type`	ne	`AWSService`	1 rule	elastic, panther

Detection Rules #

View all rules referencing this event →

Elastic #

AWS EC2 Stop, Start, and User Data Modification Correlation source high: Identifies a short sequence of EC2 management APIs against the same instance that is consistent with modifying instance user data and forcing it to run on the next boot: ModifyInstanceAttribute with user data, followed by stop and start. Adversaries may update userData and cycle instance state so malicious scripts execute as root on Linux or as the system context on Windows. This rule correlates successful StopInstances, StartInstances, and ModifyInstanceAttribute events that reference userData within a five-minute window, grouped by instance, user.name, account, source IP, and user agent. A hit requires exactly three distinct API names in that bucket.↳ also matches ModifyInstanceAttribute, StartInstances

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)