From 9129fda2a56bd1c184fb21b11ed487a1fe796bf2 Mon Sep 17 00:00:00 2001 From: bryans3c Date: Thu, 18 Jun 2026 10:31:16 +0200 Subject: [PATCH 1/5] [New Rule] AWS Lambda Function High-Frequency Invocation by a Single Principal --- ...pact_lambda_high_frequency_invocation.toml | 132 ++++++++++++++++++ 1 file changed, 132 insertions(+) create mode 100644 rules/integrations/aws/impact_lambda_high_frequency_invocation.toml diff --git a/rules/integrations/aws/impact_lambda_high_frequency_invocation.toml b/rules/integrations/aws/impact_lambda_high_frequency_invocation.toml new file mode 100644 index 00000000000..fd729ba7c72 --- /dev/null +++ b/rules/integrations/aws/impact_lambda_high_frequency_invocation.toml @@ -0,0 +1,132 @@ +[metadata] +creation_date = "2026/06/18" +integration = ["aws"] +maturity = "production" +updated_date = "2026/06/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies a single principal directly invoking AWS Lambda functions at a high volume within a one-hour window. +Adversaries may drive excessive invocations to abuse functions for resource hijacking or cryptomining, to inflate costs +in a denial-of-wallet attack, or to enumerate function behavior. This is a volumetric heuristic: the threshold is +environment-dependent and high-throughput applications can exceed it, so tune it to the deployment. This rule relies on +AWS Lambda data event logging, which is not enabled by default. +""" +false_positives = [ + """ + Legitimate high-throughput applications, batch jobs, load tests, and automation can invoke functions at high volume + and will exceed any fixed threshold. Validate the principal in `aws.cloudtrail.user_identity.arn` and the workload + context, and tune the threshold to the environment. + """, +] +from = "now-60m" +interval = "60m" +language = "esql" +license = "Elastic License v2" +name = "AWS Lambda Function High-Frequency Invocation by a Single Principal" +note = """## Triage and analysis + +### Investigating AWS Lambda Function High-Frequency Invocation by a Single Principal + +A principal issuing a high volume of direct Lambda invocations in a short window can indicate function abuse for +resource hijacking or cryptomining, a denial-of-wallet cost attack, or behavioral enumeration. Because Lambda data +events record only the invocation metadata (caller, function, source) and not the function's internal behavior, this +rule is purely volumetric and should be treated as corroborating signal. + +#### Possible investigation steps + +- Identify the principal in `aws.cloudtrail.user_identity.arn` and determine whether the volume exceeds its historical + baseline. +- Determine whether the principal is a known high-throughput application or automation identity, or an unexpected user. +- Review `source.ip` / `user_agent.original` and recent credential activity for signs of compromise. +- Correlate with billing/concurrency metrics and with other Lambda or IAM activity by the same principal. + +### False positive analysis + +- High-throughput apps, batch processing, and load tests routinely exceed fixed thresholds. Tune the threshold and + exclude known high-volume identities after validation. + +### Response and remediation + +- If abuse is confirmed, throttle or disable the affected functions (reserved concurrency), rotate or restrict the + principal's credentials, and review function code and execution-role permissions. +- Apply per-function reserved concurrency and account-level guardrails to bound cost and blast radius. + +### Additional information + +- [Logging Lambda data events with CloudTrail](https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html) +- [Lambda function scaling and concurrency](https://docs.aws.amazon.com/lambda/latest/dg/lambda-concurrency.html) +""" +references = [ + "https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html", + "https://docs.aws.amazon.com/lambda/latest/dg/lambda-concurrency.html", +] +risk_score = 47 +rule_id = "55260656-76d6-427b-bd02-7acdde131b64" +setup = """## Setup + +This rule requires AWS Lambda data events to be logged in CloudTrail and ingested via the AWS integration. Lambda +invocation (`Invoke`) is a data-plane event and is NOT logged by default; enable data event logging for Lambda functions +in the trail (optionally scoped to sensitive functions to manage volume). Tune the invocation-count threshold in the +query to the environment before enabling. +""" +severity = "medium" +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Lambda", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +from logs-aws.cloudtrail-* + +// Lambda invocation data events (data-plane; requires data event logging enabled) +| where + event.provider == "lambda.amazonaws.com" + and event.action like "Invoke*" + and event.outcome == "success" + and aws.cloudtrail.user_identity.arn IS NOT NULL + +| stats + Esql.invocation_count = count(*), + Esql.source_ips = values(source.ip) + by + aws.cloudtrail.user_identity.arn, + cloud.account.id + +// Threshold is environment-dependent — tune to the deployment +| where Esql.invocation_count >= 1000 + +| keep + aws.cloudtrail.user_identity.arn, + cloud.account.id, + Esql.invocation_count, + Esql.source_ips + +| sort Esql.invocation_count desc +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1496" +name = "Resource Hijacking" +reference = "https://attack.mitre.org/techniques/T1496/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + +[rule.investigation_fields] +field_names = ["aws.cloudtrail.user_identity.arn", "cloud.account.id", "Esql.invocation_count", "Esql.source_ips"] + From da6ebff186812a018e6c33bae87803b0021d6f7c Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Thu, 18 Jun 2026 15:40:27 +0200 Subject: [PATCH 2/5] Update impact_lambda_high_frequency_invocation.toml --- .../impact_lambda_high_frequency_invocation.toml | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/rules/integrations/aws/impact_lambda_high_frequency_invocation.toml b/rules/integrations/aws/impact_lambda_high_frequency_invocation.toml index fd729ba7c72..f14042feac5 100644 --- a/rules/integrations/aws/impact_lambda_high_frequency_invocation.toml +++ b/rules/integrations/aws/impact_lambda_high_frequency_invocation.toml @@ -29,28 +29,22 @@ note = """## Triage and analysis ### Investigating AWS Lambda Function High-Frequency Invocation by a Single Principal -A principal issuing a high volume of direct Lambda invocations in a short window can indicate function abuse for -resource hijacking or cryptomining, a denial-of-wallet cost attack, or behavioral enumeration. Because Lambda data -events record only the invocation metadata (caller, function, source) and not the function's internal behavior, this -rule is purely volumetric and should be treated as corroborating signal. +A principal issuing a high volume of direct Lambda invocations in a short window can indicate function abuse for resource hijacking or cryptomining, a denial-of-wallet cost attack, or behavioral enumeration. Because Lambda data events record only the invocation metadata (caller, function, source) and not the function's internal behavior, this rule is purely volumetric and should be treated as corroborating signal. #### Possible investigation steps -- Identify the principal in `aws.cloudtrail.user_identity.arn` and determine whether the volume exceeds its historical - baseline. +- Identify the principal in `aws.cloudtrail.user_identity.arn` and determine whether the volume exceeds its historical baseline. - Determine whether the principal is a known high-throughput application or automation identity, or an unexpected user. - Review `source.ip` / `user_agent.original` and recent credential activity for signs of compromise. - Correlate with billing/concurrency metrics and with other Lambda or IAM activity by the same principal. ### False positive analysis -- High-throughput apps, batch processing, and load tests routinely exceed fixed thresholds. Tune the threshold and - exclude known high-volume identities after validation. +- High-throughput apps, batch processing, and load tests routinely exceed fixed thresholds. Tune the threshold and exclude known high-volume identities after validation. ### Response and remediation -- If abuse is confirmed, throttle or disable the affected functions (reserved concurrency), rotate or restrict the - principal's credentials, and review function code and execution-role permissions. +- If abuse is confirmed, throttle or disable the affected functions (reserved concurrency), rotate or restrict the principal's credentials, and review function code and execution-role permissions. - Apply per-function reserved concurrency and account-level guardrails to bound cost and blast radius. ### Additional information From aa483c26a197c897e117409df6c68d9f2dfcd2b5 Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Mon, 22 Jun 2026 09:55:23 +0200 Subject: [PATCH 3/5] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .../aws/impact_lambda_high_frequency_invocation.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/integrations/aws/impact_lambda_high_frequency_invocation.toml b/rules/integrations/aws/impact_lambda_high_frequency_invocation.toml index f14042feac5..c0c0536f452 100644 --- a/rules/integrations/aws/impact_lambda_high_frequency_invocation.toml +++ b/rules/integrations/aws/impact_lambda_high_frequency_invocation.toml @@ -70,6 +70,7 @@ tags = [ "Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", + "Data Source: AWS CloudTrail", "Data Source: AWS Lambda", "Use Case: Threat Detection", "Tactic: Impact", From 43c847760e051574cc0b63eaca44c8498a91f150 Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Mon, 22 Jun 2026 16:50:50 +0200 Subject: [PATCH 4/5] Apply suggestions from code review Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> --- .../aws/impact_lambda_high_frequency_invocation.toml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rules/integrations/aws/impact_lambda_high_frequency_invocation.toml b/rules/integrations/aws/impact_lambda_high_frequency_invocation.toml index c0c0536f452..23b86985515 100644 --- a/rules/integrations/aws/impact_lambda_high_frequency_invocation.toml +++ b/rules/integrations/aws/impact_lambda_high_frequency_invocation.toml @@ -20,7 +20,7 @@ false_positives = [ context, and tune the threshold to the environment. """, ] -from = "now-60m" +from = "now-61m" interval = "60m" language = "esql" license = "Elastic License v2" @@ -31,7 +31,7 @@ note = """## Triage and analysis A principal issuing a high volume of direct Lambda invocations in a short window can indicate function abuse for resource hijacking or cryptomining, a denial-of-wallet cost attack, or behavioral enumeration. Because Lambda data events record only the invocation metadata (caller, function, source) and not the function's internal behavior, this rule is purely volumetric and should be treated as corroborating signal. -#### Possible investigation steps +### Possible investigation steps - Identify the principal in `aws.cloudtrail.user_identity.arn` and determine whether the volume exceeds its historical baseline. - Determine whether the principal is a known high-throughput application or automation identity, or an unexpected user. @@ -93,8 +93,7 @@ from logs-aws.cloudtrail-* Esql.invocation_count = count(*), Esql.source_ips = values(source.ip) by - aws.cloudtrail.user_identity.arn, - cloud.account.id + aws.cloudtrail.user_identity.arn // Threshold is environment-dependent — tune to the deployment | where Esql.invocation_count >= 1000 From ad5a9e39f798cf5ea0ff48cc7bd67eaefb50ef5f Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Mon, 22 Jun 2026 17:15:07 +0200 Subject: [PATCH 5/5] Update impact_lambda_high_frequency_invocation.toml --- .../aws/impact_lambda_high_frequency_invocation.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/integrations/aws/impact_lambda_high_frequency_invocation.toml b/rules/integrations/aws/impact_lambda_high_frequency_invocation.toml index 23b86985515..ec60f389d2e 100644 --- a/rules/integrations/aws/impact_lambda_high_frequency_invocation.toml +++ b/rules/integrations/aws/impact_lambda_high_frequency_invocation.toml @@ -100,7 +100,6 @@ from logs-aws.cloudtrail-* | keep aws.cloudtrail.user_identity.arn, - cloud.account.id, Esql.invocation_count, Esql.source_ips