AWS CloudTrail rare Method for a City

Goal

Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from an unusual City. These calls can be the result of a compromised account or credentials.

Description

The implementation is based on an ML model based on the well known “Random Forest” known as Isolation Forest.

This model learns many decision trees from the data, that aim to conduct inliers and outliers to different leafs in the trees.

Characteristics

Name

AWS CloudTrail rare Method for a City

Data involved

AWS CloudTrail calls

Alert Generation

It will produce an alert every time that we detect a combination of city and method that is anomalous.

Raw outputs of the model

A boolean value indicating the anomaly.

PreviousMany Logins OK from the same IP NextAWS CloudTrail rare Method for a Country

Last updated 2 months ago