Skip to content

DET0492 Detection Strategy for Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations

Item Value
ID DET0492
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1578.005 (Modify Cloud Compute Configurations)

Analytics

IaaS

AN1356

Defenders should monitor for anomalous or unauthorized changes to cloud compute configurations that alter quotas, tenant-wide policies, subscription associations, or allowed deployment regions. From a defender’s perspective, suspicious behavior chains include a sudden increase in compute quota requests followed by new instance or resource creation, policy modifications that weaken security restrictions, or enabling previously unused/unsupported cloud regions. Correlation across identity, configuration, and subsequent provisioning logs is critical to distinguish legitimate administrative activity from adversarial abuse.

Log Sources
Data Component Name Channel
Cloud Service Modification (DC0069) AWS:CloudTrail RequestServiceQuotaIncrease
Mutable Elements
Field Description
UserContext Identity performing the quota or configuration change; tuned to filter known admins or automation accounts.
TimeWindow Correlation period for configuration change followed by resource creation; tuned to environment norms.
ChangeType Type of configuration being modified (quota, policy, region); tuned to organization-specific risk thresholds.
GeoLocation Region where the configuration change originates; tuned to enterprise’s expected operational geography.