Skip to main content

Unexpected AWS API calls indicating unauthorized access

ID:aws_unauthorized_access_anomaly
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0006:T1555

Description

AlphaSOC detected API calls indicating potential unauthorized access, which may suggest an attempt to steal account credentials. These API calls are often used by threat actors to gain initial access to a network.

Impact

Adversaries with valid credentials can bypass traditional security measures, potentially move laterally within the network, escalate privileges, and access sensitive data.

Severity

SeverityCondition
Informational
Unexpected action, ASN, user agent or region
Low
Two unexpected properties at the same time
Medium
Three unexpected properties at the same time

Investigation and Remediation

Investigate the details of the suspicious API calls, including who made them and from where. Review AWS CloudTrail logs for any suspicious activities. If the API calls were unauthorized, terminate the suspicious sessions and mitigate any potential compromises.