IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« AWS KMS Customer Managed Key Disabled or Scheduled for Deletion AWS Lambda Function Policy Updated to Allow Public Invocation »
Elastic Docs Elastic Security Solution [8.12] Detections and alerts Prebuilt rule reference

AWS Lambda Function Created or Updated

edit

AWS Lambda Function Created or Updated

edit

Identifies when an AWS Lambda function is created or updated. AWS Lambda lets you run code without provisioning or managing servers. Adversaries can create or update Lambda functions to execute malicious code, exfiltrate data, or escalate privileges. This is a [building block rule](https://www.elastic.co/guide/en/security/current/building-block-rule.html) that does not generate alerts, but signals when a Lambda function is created or updated that matches the rule’s conditions. To generate alerts, create a rule that uses this signal as a building block.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-aws.cloudtrail-*

Severity: low

Risk score: 21

Runs every: 10m

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Data Source: AWS
  • Data Source: Amazon Web Services
  • Data Source: AWS Lambda
  • Use Case: Asset Visibility
  • Tactic: Execution
  • Rule Type: BBR

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
event.dataset: "aws.cloudtrail"
    and event.provider: "lambda.amazonaws.com"
    and event.outcome: "success"
    and event.action: (CreateFunction* or UpdateFunctionCode*)

Framework: MITRE ATT&CKTM

« AWS KMS Customer Managed Key Disabled or Scheduled for Deletion AWS Lambda Function Policy Updated to Allow Public Invocation »