Detection focuses on identifying unauthorized or anomalous changes to compute infrastructure components. Defender perspective: monitor for creation, deletion, or modification of instances, volumes, and snapshots outside of approved change management windows; correlate abnormal activity such as rapid snapshot creation followed by new instance mounts, or repeated infrastructure changes by rarely used accounts. Flagging activity linked to unusual geolocation, API client, or automation script is suspicious.
| Data Component | Name | Channel |
|---|---|---|
| Instance Start (DC0080) | AWS:CloudTrail | RunInstances |
| Instance Stop (DC0089) | AWS:CloudTrail | TerminateInstances |
| Volume Modification (DC0092) | AWS:CloudTrail | ModifyVolume |
| Volume Deletion (DC0098) | AWS:CloudTrail | DeleteVolume, ModifyVolume |
| Volume Creation (DC0097) | AWS:CloudTrail | CreateVolume |
| Snapshot Creation (DC0057) | AWS:CloudTrail | CreateSnapshot |
| Snapshot Deletion (DC0049) | AWS:CloudTrail | DeleteSnapshot |
| Snapshot Modification (DC0058) | AWS:CloudTrail | ModifySnapshotAttribute |
| Cloud Service Metadata (DC0070) | AWS:CloudWatch | unexpected IAM user or role assuming privileges for instance/snapshot operations |
| Field | Description |
|---|---|
| ChangeWindow | Approved maintenance or deployment windows. Helps reduce false positives by distinguishing scheduled activity. |
| UserContext | IAM user, role, or service account performing the operation. Tunable to allowlist known automation services. |
| RateThreshold | Number of infrastructure changes (e.g., snapshot creations) in a defined period. Adjusted based on workload scale. |
| GeoLocation | Region or source IP where changes originate. Useful for tuning alerts to account for multi-region deployments. |