Cloud Provisioning Activity From Previously Unseen City
The analytic detects cloud provisioning activities originating from previously unseen cities based on source IP geolocation compared to a learned baseline, which may indicate unauthorized access or misuse of cloud resources leading to resource creation, data exfiltration, or further compromise.
This detection identifies cloud provisioning activities originating from geographic locations (cities) that have not been previously observed. It leverages cloud infrastructure logs, specifically AWS CloudTrail, to monitor resource creation events. The analytic compares the geolocation of the source IP address initiating the cloud provisioning activity against a dynamic baseline of known and trusted locations. The baseline is maintained via scheduled searches. This is important because provisioning from unexpected locations can indicate compromised accounts, insider threats, or malicious actors attempting to deploy resources for illicit purposes within your cloud environment. This activity was published on 2026-04-17. The default configuration uses previously_unseen_cloud_provisioning_activity_window to define the time window, and can be customized with the cloud_provisioning_activity_from_previously_unseen_city_filter macro.
Attack Chain
- An attacker gains unauthorized access to a cloud account (T1078).
- The attacker uses stolen credentials or compromised access keys to authenticate to the AWS environment.
- The attacker initiates a cloud provisioning action, such as creating a new EC2 instance, S3 bucket, or other resource using AWS CLI or the AWS Management Console.
- AWS CloudTrail logs the provisioning event, including the source IP address of the request.
- The Splunk analytic extracts the source IP address and performs a geolocation lookup to determine the originating city.
- The analytic checks if the city is present in a pre-built lookup table of previously seen cloud provisioning activity sources.
- If the city is not found in the lookup or was first seen within a defined time window, the detection triggers.
- The successful provisioning of cloud resources from an unknown location may lead to data exfiltration, deployment of malicious infrastructure, or further lateral movement within the cloud environment.
Impact
A successful attack can result in unauthorized cloud resource consumption, potentially leading to significant financial costs. Data exfiltration could compromise sensitive information, impacting business operations and compliance. The deployment of malicious infrastructure within the cloud environment could be used for launching further attacks against other targets or hosting illegal content. While the number of victims is unknown, this attack targets organizations leveraging cloud infrastructure.
Recommendation
- Enable AWS CloudTrail logging in all regions of your AWS account to capture cloud provisioning events.
- Implement and maintain the baseline searches as described in the "how_to_implement" section of the source documentation to create a lookup table of source IPs and Geolocation data.
- Deploy the Sigma rule "Cloud Provisioning From New City" to detect provisioning activity from previously unseen cities.
- Investigate any alerts generated by the detection, focusing on the user account, source IP address, and provisioned resources.
- Review and harden cloud access controls to prevent unauthorized access.
Detection coverage 2
Cloud Provisioning From New City
mediumDetects cloud provisioning activity originating from a previously unseen city based on IP geolocation.
Cloud Provisioning Successful Events
infoDetects successful cloud provisioning events.
Detection queries are available on the platform. Get full rules →