AWS CloudTrail rare Method for a Country

Goal

Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from an unusual Country. These calls can be the result of a compromised account or credentials.

Description

The implementation is based on an ML model based on the well known “Random Forest” known as Isolation Forest.

This model learns many decision trees from the data, that aim to conduct inliers and outliers to different leafs in the trees.

Characteristics

Name

AWS CloudTrail rare Method for a Country

Data involved

AWS CloudTrail calls

Alert Generation

It will produce an alert every time that we detect a combination of country and method that is anomalous.

Raw outputs of the model

A boolean value indicating the anomaly.

PreviousAWS CloudTrail rare Method for a City NextAWS CloudTrail rare Method for a User

Last updated 2 months ago