Unexpected AWS API calls indicating unauthorized access
ID:aws_unauthorized_access_anomaly
Data type:AWS CloudTrail
Severity:
Informational
- Medium
MITRE ATT&CK:TA0006:T1555
Description
AlphaSOC detected API calls indicating potential unauthorized access, which may suggest an attempt to steal account credentials. These API calls are often used by threat actors to gain initial access to a network.
Impact
Adversaries with valid credentials can bypass traditional security measures, potentially move laterally within the network, escalate privileges, and access sensitive data.
Severity
Severity | Condition |
---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Investigate the details of the suspicious API calls, including who made them and from where. Review AWS CloudTrail logs for any suspicious activities. If the API calls were unauthorized, terminate the suspicious sessions and mitigate any potential compromises.