Detection rules › Elastic
AWS Lambda Function Created or Updated
Identifies when an AWS Lambda function is created or updated. AWS Lambda lets you run code without provisioning or managing servers. Adversaries can create or update Lambda functions to execute malicious code, exfiltrate data, or escalate privileges. This is a building block rule that does not generate alerts, but signals when a Lambda function is created or updated that matches the rule's conditions. To generate alerts, create a rule that uses this signal as a building block.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1648 Serverless Execution |
Event coverage
| Provider | Event | Title |
|---|---|---|
| AWS-lambda | _catch_all | AWS-lambda (catch-all) |
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
Rule body elastic
[metadata]
bypass_bbr_timing = true
creation_date = "2024/04/20"
integration = ["aws"]
maturity = "production"
updated_date = "2024/09/01"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies when an AWS Lambda function is created or updated. AWS Lambda lets you run code without provisioning or
managing servers. Adversaries can create or update Lambda functions to execute malicious code, exfiltrate data, or
escalate privileges. This is a [building block
rule](https://www.elastic.co/guide/en/security/current/building-block-rule.html) that does not generate alerts, but
signals when a Lambda function is created or updated that matches the rule's conditions. To generate alerts, create a
rule that uses this signal as a building block.
"""
false_positives = [
"""
Legitimate changes to Lambda functions can trigger this signal. Ensure that the changes are authorized and align
with your organization's policies.
""",
]
from = "now-60m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS Lambda Function Created or Updated"
references = [
"https://mattslifebytes.com/2023/04/14/from-rebuilds-to-reloads-hacking-aws-lambda-to-enable-instant-code-updates/",
"https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-overwrite-code/",
"https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionCode.html",
]
risk_score = 21
rule_id = "1251b98a-ff45-11ee-89a1-f661ea17fbce"
severity = "low"
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS Lambda",
"Use Case: Asset Visibility",
"Tactic: Execution",
"Rule Type: BBR"
]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset: "aws.cloudtrail"
and event.provider: "lambda.amazonaws.com"
and event.outcome: "success"
and event.action: (CreateFunction* or UpdateFunctionCode*)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1648"
name = "Serverless Execution"
reference = "https://attack.mitre.org/techniques/T1648/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Stages and Predicates
Stage 1: query
event.dataset: "aws.cloudtrail"
and event.provider: "lambda.amazonaws.com"
and event.outcome: "success"
and event.action: (CreateFunction* or UpdateFunctionCode*)
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
event.action | wildcard |
|
event.dataset | eq |
|
event.outcome | eq |
|
event.provider | eq |
|