AWS Lambda Function Created or Updated
editAWS Lambda Function Created or Updated
editIdentifies when an AWS Lambda function is created or updated. AWS Lambda lets you run code without provisioning or managing servers. Adversaries can create or update Lambda functions to execute malicious code, exfiltrate data, or escalate privileges. This is a [building block rule](https://www.elastic.co/guide/en/security/current/building-block-rule.html) that does not generate alerts, but signals when a Lambda function is created or updated that matches the rule’s conditions. To generate alerts, create a rule that uses this signal as a building block.
Rule type: query
Rule indices:
- filebeat-*
- logs-aws.cloudtrail-*
Severity: low
Risk score: 21
Runs every: 10m
Searches indices from: now-60m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Data Source: AWS
- Data Source: Amazon Web Services
- Data Source: AWS Lambda
- Use Case: Asset Visibility
- Tactic: Execution
- Rule Type: BBR
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editevent.dataset: "aws.cloudtrail" and event.provider: "lambda.amazonaws.com" and event.outcome: "success" and event.action: (CreateFunction* or UpdateFunctionCode*)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Serverless Execution
- ID: T1648
- Reference URL: https://attack.mitre.org/techniques/T1648/