T1535 IBM QRadar · QRadar

Detect Unused/Unsupported Cloud Regions in IBM QRadar

Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure. Cloud service providers provide infrastructure globally, but organizations typically monitor only a subset of available regions and may not have security tooling (GuardDuty, Security Hub, Defender for Cloud) enabled in every region. Resources created in unmonitored or lightly-monitored regions may go undetected, enabling adversaries to conduct cryptocurrency mining, command-and-control staging, data exfiltration, and lateral movement without triggering alerts configured for primary regions. A notable variation exploits regional gaps in security service coverage — certain AWS regions may lack GuardDuty enrollment, CloudTrail data events, or Security Hub aggregation by default.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1535 Unused/Unsupported Cloud Regions
Canonical reference
https://attack.mitre.org/techniques/T1535/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime/1000, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Actor,
  QIDNAME(qid) AS EventAction,
  "AWS Region" AS CloudRegion,
  "Account ID" AS AccountId,
  "User Identity Type" AS ActorType,
  "User Identity ARN" AS ActorARN,
  LOGSOURCENAME(logsourceid) AS LogSource
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Amazon AWS CloudTrail%'
  AND QIDNAME(qid) IN (
    'RunInstances', 'CreateBucket', 'CreateCluster', 'CreateFunction',
    'CreateDBInstance', 'CreateDBCluster', 'CreateVolume', 'CreateVpc',
    'CreateUser', 'CreateAccessKey', 'CreateRole', 'CreateSecret',
    'CreateKey', 'CreateStackInstances'
  )
  AND ("Error Code" IS NULL OR "Error Code" = '')
  AND "AWS Region" NOT IN (
    'us-east-1', 'us-west-2', 'eu-west-1', 'eu-central-1'
  )
  AND "AWS Region" IS NOT NULL
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LIMIT 1000
medium severity medium confidence

Detects AWS CloudTrail resource creation events originating from regions outside the approved list, querying QRadar's normalized events table via the Amazon AWS CloudTrail DSM. The fields 'AWS Region', 'Account ID', 'User Identity Type', and 'User Identity ARN' are Custom Event Properties (CEPs) created by the CloudTrail DSM parser — verify these property names match your QRadar deployment using the Log Activity viewer. Extend with Azure Activity Log DSM entries using a UNION or separate rule targeting LOGSOURCETYPENAME ILIKE '%Microsoft Azure%' with equivalent operation name filters.

Data Sources

Amazon AWS CloudTrail DSM (QRadar built-in)Microsoft Azure Activity DSM (QRadar built-in)

Required Tables

events

False Positives & Tuning

  • Cloud automation pipelines (Terraform, CloudFormation, Pulumi) provisioning resources during infrastructure-as-code deployments that span regions not yet added to the approved list.
  • Engineering teams running performance or latency benchmarks in alternate regions during pre-production testing phases.
  • Mergers and acquisitions where the acquired entity's cloud footprint spans regions outside the parent organization's monitored set — these will fire until the approved region list is updated.
Download portable Sigma rule (.yml)

Other platforms for T1535

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AWS EC2 Instance Launch in Unused Region

    Expected signal: AWS CloudTrail EventName=RunInstances in region ap-southeast-1. UserIdentityArn shows the calling principal. RequestParameters will include imageId, instanceType, and maxCount. This event appears in both regional CloudTrail (if enabled in ap-southeast-1) and the global management events endpoint in us-east-1.

  2. Test 2AWS S3 Bucket Creation in Unused Region

    Expected signal: AWS CloudTrail EventName=CreateBucket in region sa-east-1. The requestParameters field includes the bucket name and LocationConstraint. This event is captured in CloudTrail management events regardless of whether regional CloudTrail is enabled in sa-east-1.

  3. Test 3AWS IAM Access Key Creation via Unused Region API Endpoint

    Expected signal: AWS CloudTrail EventName=CreateUser and EventName=CreateAccessKey. UserIdentityArn shows the calling principal. Even though IAM is global, these events should be correlated with the unusual region activity detected in other tests — a pattern of unusual region compute creation followed by IAM key creation is a high-confidence compromise indicator.

  4. Test 4Azure Resource Group Creation in Unused Region

    Expected signal: Azure Activity Log OperationNameValue=Microsoft.Resources/resourceGroups/write with ActivityStatusValue=Succeeded. The Caller field shows the authenticated principal's UPN or service principal ID. CallerIpAddress records the source IP. Properties contains the location field 'japaneast' which the KQL extraction regex will parse.

Last updated: 2026-04-20 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1535 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1496Resource HijackingT1078.004Cloud AccountsT1578Modify Cloud Compute InfrastructureT1578.002Create Cloud InstanceT1537Transfer Data to Cloud AccountT1098.001Additional Cloud CredentialsT1562.008Disable or Modify Cloud LogsT1136.003Cloud AccountT1580Cloud Infrastructure Discovery

Same Tactic: Defense Evasion

Popular Detections