DET0308 Detection Strategy for Modify Cloud Compute Infrastructure

Item	Value
ID	DET0308
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1578 (Modify Cloud Compute Infrastructure)

Analytics

IaaS

AN0861

Detection focuses on identifying unauthorized or anomalous changes to compute infrastructure components. Defender perspective: monitor for creation, deletion, or modification of instances, volumes, and snapshots outside of approved change management windows; correlate abnormal activity such as rapid snapshot creation followed by new instance mounts, or repeated infrastructure changes by rarely used accounts. Flagging activity linked to unusual geolocation, API client, or automation script is suspicious.

Log Sources

Data Component	Name	Channel
Instance Start (DC0080)	AWS:CloudTrail	RunInstances
Instance Stop (DC0089)	AWS:CloudTrail	TerminateInstances
Volume Modification (DC0092)	AWS:CloudTrail	ModifyVolume
Volume Deletion (DC0098)	AWS:CloudTrail	DeleteVolume, ModifyVolume
Volume Creation (DC0097)	AWS:CloudTrail	CreateVolume
Snapshot Creation (DC0057)	AWS:CloudTrail	CreateSnapshot
Snapshot Deletion (DC0049)	AWS:CloudTrail	DeleteSnapshot
Snapshot Modification (DC0058)	AWS:CloudTrail	ModifySnapshotAttribute
Cloud Service Metadata (DC0070)	AWS:CloudWatch	unexpected IAM user or role assuming privileges for instance/snapshot operations

Mutable Elements

Field	Description
ChangeWindow	Approved maintenance or deployment windows. Helps reduce false positives by distinguishing scheduled activity.
UserContext	IAM user, role, or service account performing the operation. Tunable to allowlist known automation services.
RateThreshold	Number of infrastructure changes (e.g., snapshot creations) in a defined period. Adjusted based on workload scale.
GeoLocation	Region or source IP where changes originate. Useful for tuning alerts to account for multi-region deployments.