Cloud Provisioning Activity From Previously Unseen Region
This analytic detects cloud provisioning activities originating from previously unseen regions by identifying resource creation events and cross-referencing them with a baseline of known regions, potentially indicating unauthorized access or misuse of cloud resources.
This detection identifies cloud provisioning activities originating from previously unseen regions within an AWS environment. It leverages AWS CloudTrail logs to pinpoint events where resources are started or created and compares these events against a baseline of known, trusted regions. The analytic focuses on successful resource provisioning actions. This activity is flagged as anomalous because it can signal unauthorized access, compromised credentials, or internal misuse of cloud resources from unfamiliar locations. Successfully exploiting this activity could lead to unauthorized resource creation, data exfiltration, or further compromise of the cloud infrastructure. The original Splunk detection was published in April 2026.
Attack Chain
- An attacker gains unauthorized access to a user account via compromised credentials or other means.
- The attacker logs into the AWS Management Console or utilizes AWS CLI with the compromised credentials.
- The attacker initiates a cloud provisioning action, such as creating a new EC2 instance or launching a new service, from a region not previously associated with the account.
- AWS CloudTrail logs the "started" or "created" event for the provisioned resource, including the source IP address, user, object, and command used.
- The detection logic identifies the previously unseen region based on the source IP address using GeoIP enrichment.
- An alert is triggered, indicating anomalous provisioning activity from an unfamiliar region.
- The attacker continues to deploy resources in the new region, potentially for malicious purposes such as cryptocurrency mining or hosting command and control infrastructure.
Impact
A successful attack could lead to unauthorized resource deployment, potentially resulting in significant financial costs. Data exfiltration from newly provisioned resources could expose sensitive data leading to compliance violations, legal ramifications, and reputational damage. Further, unauthorized access could allow the attacker to establish a foothold within the cloud environment, enabling lateral movement and further compromise of other resources. The impact will vary based on the compromised user's permissions and the scope of resources the attacker can provision.
Recommendation
- Enable AWS CloudTrail logging in all regions to capture cloud provisioning events.
- Run the baseline search to build the
previously_seen_cloud_provisioning_activity_sourceslookup table as described in the "How to Implement" section. - Deploy the Sigma rule
Cloud Provisioning Activity From Previously Unseen Regionto your SIEM and tune it based on your organization's baseline activity. - Investigate any alerts generated by the Sigma rule, focusing on the
src,Region,user,object, andcommandfields to understand the context of the provisioning activity. - Implement multi-factor authentication (MFA) for all user accounts to reduce the risk of credential compromise.
- Review and restrict IAM permissions to follow the principle of least privilege, limiting the resources that a compromised user can access or provision.
Detection coverage 2
Cloud Provisioning Activity From Previously Unseen Region
mediumDetects cloud provisioning activities from previously unseen regions based on AWS CloudTrail logs.
Detect CloudTrail Anomalous Region Creation Via API
mediumDetects cloud resource creation from previously unseen regions via AWS API calls.
Detection queries are available on the platform. Get full rules →