DET0247 Detection of Adversary Use of Unused or Unsupported Cloud Regions (IaaS)

Item	Value
ID	DET0247
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1535 (Unused/Unsupported Cloud Regions)

Analytics

IaaS

AN0690

Detects creation of cloud instances, services, or resources in normally unused or unsupported regions, especially following initial account access or credential use from known regions. Correlates resource provisioning across regions with absence of historical usage and alerting from standard logging services (e.g., GuardDuty not enabled in that region).

Log Sources

Data Component	Name	Channel
Instance Start (DC0080)	AWS:CloudTrail	RunInstances
Cloud Storage Creation (DC0024)	AWS:CloudTrail	CreateBucket
User Account Metadata (DC0013)	CloudTrail:GetCallerIdentity	GetCallerIdentity
Network Connection Creation (DC0082)	AWS:VPCFlowLogs	High outbound traffic from new region resource

Mutable Elements

Field	Description
UnusedRegionList	List of regions historically unused by the organization (can vary per tenant/project)
TimeWindow	Time interval for correlating activity following account access
AllowedServiceList	Whitelist of services allowed in secondary/DR regions
OutboundTrafficThreshold	Volume threshold to flag suspicious outbound activity