T1535 Unused/Unsupported Cloud Regions Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// CONFIGURE: Update these lists to match your organization's approved/actively monitored cloud regions
let ApprovedAzureRegions = dynamic(["eastus", "eastus2", "westus", "westus2", "westeurope", "northeurope", "uksouth", "ukwest"]);
let ApprovedAWSRegions = dynamic(["us-east-1", "us-west-2", "eu-west-1", "eu-central-1"]);
//
// Azure: Detect successful resource creation in unapproved regions
let AzureUnusualRegion =
AzureActivity
| where TimeGenerated > ago(24h)
| where ActivityStatusValue =~ "Succeeded"
| where OperationNameValue has_any (
    "Microsoft.Compute/virtualMachines/write",
    "Microsoft.Compute/virtualMachineScaleSets/write",
    "Microsoft.ContainerService/managedClusters/write",
    "Microsoft.Storage/storageAccounts/write",
    "Microsoft.Network/virtualNetworks/write",
    "Microsoft.Sql/servers/write",
    "Microsoft.Web/sites/write",
    "Microsoft.KeyVault/vaults/write",
    "Microsoft.Resources/resourceGroups/write"
  )
| extend ResourceLocation = tolower(extract('"location":"([^"]+)"', 1, tostring(Properties)))
| where isnotempty(ResourceLocation)
| where ResourceLocation !in (ApprovedAzureRegions)
| project
    TimeGenerated,
    Caller,
    CallerIpAddress,
    OperationNameValue,
    ResourceLocation,
    ResourceGroup,
    SubscriptionId,
    CorrelationId,
    CloudProvider = "Azure";
//
// AWS: Detect successful resource creation events in unapproved regions
let AWSUnusualRegion =
AWSCloudTrail
| where TimeGenerated > ago(24h)
| where isempty(ErrorCode)
| where EventName in~ (
    "RunInstances",
    "CreateBucket",
    "CreateCluster",
    "CreateFunction",
    "CreateDBInstance",
    "CreateDBCluster",
    "CreateVolume",
    "CreateVpc",
    "CreateUser",
    "CreateAccessKey",
    "CreateRole",
    "CreateStackInstances",
    "CreateSecret",
    "CreateKey"
  )
| where AWSRegion !in (ApprovedAWSRegions)
| project
    TimeGenerated,
    Caller = UserIdentityArn,
    CallerIpAddress = SourceIpAddress,
    OperationNameValue = EventName,
    ResourceLocation = AWSRegion,
    ResourceGroup = RecipientAccountId,
    SubscriptionId = RecipientAccountId,
    CorrelationId = EventTypeName,
    CloudProvider = "AWS";
//
union AzureUnusualRegion, AWSUnusualRegion
| extend RiskIndicators = pack_array(
    iff(CloudProvider == "AWS" and OperationNameValue in ("CreateUser", "CreateAccessKey", "CreateRole"), "IAM resource in unapproved region", ""),
    iff(OperationNameValue =~ "RunInstances" or OperationNameValue has "virtualMachines/write", "Compute instance in unapproved region", ""),
    iff(OperationNameValue =~ "CreateFunction", "Serverless function in unapproved region", "")
  )
| extend RiskIndicators = array_strcat(array_slice(RiskIndicators, 0, array_length(RiskIndicators)), ", ")
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Cloud: Cloud Infrastructure Modification Cloud: Cloud Service Azure Activity Logs AWS CloudTrail

Required Tables

AzureActivity AWSCloudTrail

False Positives

Legitimate cloud expansion projects deploying to new regions for disaster recovery, latency optimization, or data residency compliance requirements where the approved region list has not been updated
Development and QA teams spinning up temporary infrastructure in non-production regions for performance benchmarking, compliance testing, or proof-of-concept work
Infrastructure-as-code automation pipelines (Terraform, CDK, ARM templates) deploying resources to new regions as part of an approved rollout where the change management process did not include updating detection allowlists
Third-party managed service providers, SaaS vendors, or cloud integrators creating resources on behalf of the organization in their operationally preferred regions
Disaster recovery failover events where standby infrastructure is legitimately activated in secondary regions

Splunk

spl

index=* (sourcetype="aws:cloudtrail" OR sourcetype="amazon:cloudtrail")
  (eventName="RunInstances" OR eventName="CreateBucket" OR eventName="CreateCluster"
   OR eventName="CreateFunction" OR eventName="CreateDBInstance" OR eventName="CreateDBCluster"
   OR eventName="CreateVolume" OR eventName="CreateVpc" OR eventName="CreateUser"
   OR eventName="CreateAccessKey" OR eventName="CreateRole" OR eventName="CreateSecret"
   OR eventName="CreateKey" OR eventName="CreateStackInstances")
  NOT errorCode=*
| eval ApprovedRegions="us-east-1,us-west-2,eu-west-1,eu-central-1"
| eval isApprovedRegion=if(match(awsRegion, "^(us-east-1|us-west-2|eu-west-1|eu-central-1)$"), 1, 0)
| where isApprovedRegion=0
| eval ActorType=coalesce('userIdentity.type', "Unknown")
| eval Actor=coalesce('userIdentity.arn', 'userIdentity.userName', "Unknown")
| eval IsRootAccount=if(ActorType="Root", 1, 0)
| eval IsAssumedRole=if(match(ActorType, "AssumedRole"), 1, 0)
| eval IsMachineIdentity=if(match(Actor, "(lambda|ec2|ecs|eks|codebuild|ssm)"), 1, 0)
| eval RiskScore=2
| eval RiskScore=RiskScore + if(IsRootAccount=1, 3, 0)
| eval RiskScore=RiskScore + if(eventName IN ("CreateUser", "CreateAccessKey", "CreateRole"), 3, 0)
| eval RiskScore=RiskScore + if(eventName="RunInstances", 2, 0)
| eval RiskScore=RiskScore + if(IsMachineIdentity=0 AND IsAssumedRole=0, 1, 0)
| table _time, awsRegion, eventName, Actor, ActorType, IsRootAccount, IsAssumedRole, sourceIPAddress, userAgent, recipientAccountId, RiskScore
| sort - RiskScore, - _time

high severity medium confidence

Data Sources

Cloud: Cloud Infrastructure Modification Cloud: Cloud Service AWS CloudTrail

Required Sourcetypes

aws:cloudtrail amazon:cloudtrail

False Positives

Legitimate cloud expansion projects deploying to new regions for disaster recovery, latency optimization, or data residency compliance requirements where the approved region regex has not been updated
Development and QA teams spinning up temporary infrastructure in non-production regions for performance benchmarking or compliance testing
Infrastructure-as-code automation pipelines deploying resources to new regions during an approved rollout without corresponding detection rule updates
Third-party managed service providers or SaaS vendors creating resources in their operationally preferred regions on behalf of the organization
Machine identities (Lambda execution roles, EC2 instance profiles) making cross-region API calls for legitimate data replication or failover workflows

Elastic Security (EQL)

eql

any where
  event.dataset in ("aws.cloudtrail", "azure.activitylogs")
  and event.outcome == "success"
  and (
    event.action in (
      "RunInstances", "CreateBucket", "CreateCluster", "CreateFunction",
      "CreateDBInstance", "CreateDBCluster", "CreateVolume", "CreateVpc",
      "CreateUser", "CreateAccessKey", "CreateRole", "CreateSecret",
      "CreateKey", "CreateStackInstances"
    )
    or event.action in (
      "MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE",
      "MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/WRITE",
      "MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/WRITE",
      "MICROSOFT.STORAGE/STORAGEACCOUNTS/WRITE",
      "MICROSOFT.NETWORK/VIRTUALNETWORKS/WRITE",
      "MICROSOFT.SQL/SERVERS/WRITE",
      "MICROSOFT.WEB/SITES/WRITE",
      "MICROSOFT.KEYVAULT/VAULTS/WRITE",
      "MICROSOFT.RESOURCES/RESOURCEGROUPS/WRITE"
    )
  )
  and cloud.region != null
  and not cloud.region in (
    "us-east-1", "us-west-2", "eu-west-1", "eu-central-1",
    "eastus", "eastus2", "westus", "westus2",
    "westeurope", "northeurope", "uksouth", "ukwest"
  )

medium severity medium confidence

Data Sources

AWS CloudTrail via Elastic Agent AWS integration (aws.cloudtrail) Azure Activity Logs via Elastic Agent Azure integration (azure.activitylogs)

Required Tables

logs-aws.cloudtrail-* logs-azure.activitylogs-*

False Positives

Authorized cloud infrastructure expansion projects where new geographic regions are being formally onboarded — coordinate with cloud platform teams before tuning.
Disaster recovery or business continuity testing that deliberately provisions resources in alternate regions to validate failover runbooks.
Third-party managed service providers or SaaS platforms (e.g., Snowflake, Databricks) provisioning resources in regions chosen for data residency or performance that differ from primary regions monitored by the team.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime/1000, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Actor,
  QIDNAME(qid) AS EventAction,
  "AWS Region" AS CloudRegion,
  "Account ID" AS AccountId,
  "User Identity Type" AS ActorType,
  "User Identity ARN" AS ActorARN,
  LOGSOURCENAME(logsourceid) AS LogSource
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Amazon AWS CloudTrail%'
  AND QIDNAME(qid) IN (
    'RunInstances', 'CreateBucket', 'CreateCluster', 'CreateFunction',
    'CreateDBInstance', 'CreateDBCluster', 'CreateVolume', 'CreateVpc',
    'CreateUser', 'CreateAccessKey', 'CreateRole', 'CreateSecret',
    'CreateKey', 'CreateStackInstances'
  )
  AND ("Error Code" IS NULL OR "Error Code" = '')
  AND "AWS Region" NOT IN (
    'us-east-1', 'us-west-2', 'eu-west-1', 'eu-central-1'
  )
  AND "AWS Region" IS NOT NULL
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LIMIT 1000

medium severity medium confidence

Data Sources

Amazon AWS CloudTrail DSM (QRadar built-in) Microsoft Azure Activity DSM (QRadar built-in)

Required Tables

events

False Positives

Cloud automation pipelines (Terraform, CloudFormation, Pulumi) provisioning resources during infrastructure-as-code deployments that span regions not yet added to the approved list.
Engineering teams running performance or latency benchmarks in alternate regions during pre-production testing phases.
Mergers and acquisitions where the acquired entity's cloud footprint spans regions outside the parent organization's monitored set — these will fire until the approved region list is updated.

Sumo Logic CSE

sql

// CONFIGURE: Update _sourceCategory to match your CloudTrail log source path
_sourceCategory=aws/cloudtrail
| json field=_raw "eventName" as eventName
| json field=_raw "awsRegion" as awsRegion
| json field=_raw "errorCode" as errorCode nodrop
| json field=_raw "userIdentity.type" as actorType nodrop
| json field=_raw "userIdentity.arn" as actorArn nodrop
| json field=_raw "userIdentity.userName" as actorUserName nodrop
| json field=_raw "sourceIPAddress" as sourceIP nodrop
| json field=_raw "userAgent" as userAgent nodrop
| json field=_raw "recipientAccountId" as accountId nodrop
| where eventName in ("RunInstances","CreateBucket","CreateCluster","CreateFunction",
    "CreateDBInstance","CreateDBCluster","CreateVolume","CreateVpc",
    "CreateUser","CreateAccessKey","CreateRole","CreateSecret",
    "CreateKey","CreateStackInstances")
| where isNull(errorCode) or isEmpty(errorCode)
| where !(awsRegion in ("us-east-1","us-west-2","eu-west-1","eu-central-1"))
| if(!isNull(actorArn), actorArn, actorUserName) as actor
| if(actorType == "Root", 1, 0) as isRootAccount
| if(eventName in ("CreateUser","CreateAccessKey","CreateRole"), 1, 0) as isIAMOperation
| if(eventName == "RunInstances", 1, 0) as isComputeCreate
| 2 + (isRootAccount * 3) + (isIAMOperation * 3) + (isComputeCreate * 2) as riskScore
| fields _messageTime, awsRegion, eventName, actor, actorType, sourceIP, userAgent, accountId, riskScore
| sort by riskScore, _messageTime

medium severity medium confidence

Data Sources

AWS CloudTrail (Sumo Logic S3 source or HTTP source) Azure Activity Logs (Sumo Logic Azure Monitor source)

Required Tables

Sumo Logic log index (configured _sourceCategory)

False Positives

Approved cloud workload migrations where resources are being relocated to a new region as part of an authorized project — check change management records before escalating.
Security tooling deployments (e.g., bootstrapping GuardDuty, Security Hub, or Defender for Cloud in a previously uncovered region) which themselves trigger resource creation events in that region.
Development or sandbox accounts operated by engineering teams who routinely experiment in various regions outside the production-approved set.

Google Chronicle / SecOps

yaral

rule t1535_unused_cloud_regions {
  meta:
    author = "df00tech"
    description = "Detects cloud resource creation in unapproved geographic regions (T1535 - Unused/Unsupported Cloud Regions)"
    severity = "MEDIUM"
    priority = "MEDIUM"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1535"
    false_positives = "Region expansion projects, DR testing, third-party MSP provisioning"
    version = "1.0"

  events:
    $e.metadata.event_type = "USER_RESOURCE_CREATION"
    (
      $e.metadata.product_name = "AWS CloudTrail" or
      $e.metadata.vendor_name = "Microsoft"
    )
    re.regex(
      $e.metadata.product_event_type,
      `RunInstances|CreateBucket|CreateCluster|CreateFunction|CreateDBInstance|CreateDBCluster|CreateVolume|CreateVpc|CreateUser|CreateAccessKey|CreateRole|CreateSecret|CreateKey|CreateStackInstances|VIRTUALMACHINES/WRITE|STORAGEACCOUNTS/WRITE|MANAGEDCLUSTERS/WRITE|VIRTUALNETWORKS/WRITE|SQL/SERVERS/WRITE|KEYVAULT/VAULTS/WRITE`
    )
    $e.target.cloud.availability_zone != ""
    not re.regex(
      $e.target.cloud.availability_zone,
      `^(us-east-1|us-west-2|eu-west-1|eu-central-1|eastus|eastus2|westus|westus2|westeurope|northeurope|uksouth|ukwest)$`
    )
    $e.security_result.action = "ALLOW"

  condition:
    $e
}

medium severity medium confidence

Data Sources

AWS CloudTrail (Chronicle ingestion via S3 or direct feed) Azure Activity Logs (Chronicle Azure feed)

Required Tables

UDM Events (USER_RESOURCE_CREATION category)

False Positives

Automated infrastructure provisioning tools (Terraform Enterprise, AWS Control Tower) creating resources during sanctioned region onboarding workflows.
Cloud security posture tools that provision monitoring agents or configuration rules (e.g., AWS Config recorders, Security Hub enablement) across all regions including unapproved ones.
Multi-region active-active architecture deployments where engineering teams provision resources across a wider region set than what security monitoring currently covers.

CrowdStrike LogScale (CQL)

cql

// Requires CloudTrail logs ingested into LogScale or Falcon CSPM cloud audit events
// CONFIGURE: Update excluded regions to match your approved set
#repo=cloudtrail
| eventName in values=[
    "RunInstances", "CreateBucket", "CreateCluster", "CreateFunction",
    "CreateDBInstance", "CreateDBCluster", "CreateVolume", "CreateVpc",
    "CreateUser", "CreateAccessKey", "CreateRole", "CreateSecret",
    "CreateKey", "CreateStackInstances"
  ]
| not errorCode=*
| awsRegion != "us-east-1"
| awsRegion != "us-west-2"
| awsRegion != "eu-west-1"
| awsRegion != "eu-central-1"
| awsRegion != ""
| case {
    eventName in ["CreateUser", "CreateAccessKey", "CreateRole"] | riskScore := 5 ;
    eventName = "RunInstances" | riskScore := 4 ;
    * | riskScore := 2
  }
| userIdentityType = "Root" | rootFlag := "ROOT_ACCOUNT" ; * | rootFlag := ""
| groupBy(
    [awsRegion, eventName, userIdentityArn, userIdentityType, sourceIPAddress, recipientAccountId, rootFlag],
    function=[
      max(riskScore, as=maxRiskScore),
      count(as=eventCount),
      min(@timestamp, as=firstSeen),
      max(@timestamp, as=lastSeen)
    ]
  )
| sort(field=maxRiskScore, order=desc)

medium severity medium confidence

Data Sources

AWS CloudTrail logs ingested into CrowdStrike LogScale Falcon CSPM cloud audit event stream (alternate field mapping required)

Required Tables

LogScale cloudtrail repository (or equivalent configured repo name)

False Positives

CI/CD pipelines with cross-region deployment stages that create resources in non-primary regions as part of blue-green or canary deployment strategies.
Cloud cost optimization tooling (e.g., Spot.io, CloudHealth) that automatically provisions or migrates workloads to lower-cost regions outside the approved list.
Incident response or forensics activities where responders deliberately spin up isolated environments in alternate regions to contain or investigate an incident without affecting production.

Unused/Unsupported Cloud Regions

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Defense Evasion

Popular Detections