Detects creation of cloud instances, services, or resources in normally unused or unsupported regions, especially following initial account access or credential use from known regions. Correlates resource provisioning across regions with absence of historical usage and alerting from standard logging services (e.g., GuardDuty not enabled in that region).
| Data Component | Name | Channel |
|---|---|---|
| Instance Start (DC0080) | CloudTrail:RunInstances | RunInstances |
| Cloud Storage Creation (DC0024) | AWS:CloudTrail | CreateBucket |
| User Account Metadata (DC0013) | CloudTrail:GetCallerIdentity | GetCallerIdentity |
| Network Connection Creation (DC0082) | AWS:VPCFlowLogs | High outbound traffic from new region resource |
| Field | Description |
|---|---|
| UnusedRegionList | List of regions historically unused by the organization (can vary per tenant/project) |
| TimeWindow | Time interval for correlating activity following account access |
| AllowedServiceList | Whitelist of services allowed in secondary/DR regions |
| OutboundTrafficThreshold | Volume threshold to flag suspicious outbound activity |