Defenders should monitor for anomalous or unauthorized changes to cloud compute configurations that alter quotas, tenant-wide policies, subscription associations, or allowed deployment regions. From a defender’s perspective, suspicious behavior chains include a sudden increase in compute quota requests followed by new instance or resource creation, policy modifications that weaken security restrictions, or enabling previously unused/unsupported cloud regions. Correlation across identity, configuration, and subsequent provisioning logs is critical to distinguish legitimate administrative activity from adversarial abuse.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Modification (DC0069) | AWS:CloudTrail | RequestServiceQuotaIncrease |
| Field | Description |
|---|---|
| UserContext | Identity performing the quota or configuration change; tuned to filter known admins or automation accounts. |
| TimeWindow | Correlation period for configuration change followed by resource creation; tuned to environment norms. |
| ChangeType | Type of configuration being modified (quota, policy, region); tuned to organization-specific risk thresholds. |
| GeoLocation | Region where the configuration change originates; tuned to enterprise’s expected operational geography. |