T1535 Splunk · SPL

Detect Unused/Unsupported Cloud Regions in Splunk

Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure. Cloud service providers provide infrastructure globally, but organizations typically monitor only a subset of available regions and may not have security tooling (GuardDuty, Security Hub, Defender for Cloud) enabled in every region. Resources created in unmonitored or lightly-monitored regions may go undetected, enabling adversaries to conduct cryptocurrency mining, command-and-control staging, data exfiltration, and lateral movement without triggering alerts configured for primary regions. A notable variation exploits regional gaps in security service coverage — certain AWS regions may lack GuardDuty enrollment, CloudTrail data events, or Security Hub aggregation by default.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1535 Unused/Unsupported Cloud Regions
Canonical reference
https://attack.mitre.org/techniques/T1535/

SPL Detection Query

Splunk (SPL)
spl 
index=* (sourcetype="aws:cloudtrail" OR sourcetype="amazon:cloudtrail")
  (eventName="RunInstances" OR eventName="CreateBucket" OR eventName="CreateCluster"
   OR eventName="CreateFunction" OR eventName="CreateDBInstance" OR eventName="CreateDBCluster"
   OR eventName="CreateVolume" OR eventName="CreateVpc" OR eventName="CreateUser"
   OR eventName="CreateAccessKey" OR eventName="CreateRole" OR eventName="CreateSecret"
   OR eventName="CreateKey" OR eventName="CreateStackInstances")
  NOT errorCode=*
| eval ApprovedRegions="us-east-1,us-west-2,eu-west-1,eu-central-1"
| eval isApprovedRegion=if(match(awsRegion, "^(us-east-1|us-west-2|eu-west-1|eu-central-1)$"), 1, 0)
| where isApprovedRegion=0
| eval ActorType=coalesce('userIdentity.type', "Unknown")
| eval Actor=coalesce('userIdentity.arn', 'userIdentity.userName', "Unknown")
| eval IsRootAccount=if(ActorType="Root", 1, 0)
| eval IsAssumedRole=if(match(ActorType, "AssumedRole"), 1, 0)
| eval IsMachineIdentity=if(match(Actor, "(lambda|ec2|ecs|eks|codebuild|ssm)"), 1, 0)
| eval RiskScore=2
| eval RiskScore=RiskScore + if(IsRootAccount=1, 3, 0)
| eval RiskScore=RiskScore + if(eventName IN ("CreateUser", "CreateAccessKey", "CreateRole"), 3, 0)
| eval RiskScore=RiskScore + if(eventName="RunInstances", 2, 0)
| eval RiskScore=RiskScore + if(IsMachineIdentity=0 AND IsAssumedRole=0, 1, 0)
| table _time, awsRegion, eventName, Actor, ActorType, IsRootAccount, IsAssumedRole, sourceIPAddress, userAgent, recipientAccountId, RiskScore
| sort - RiskScore, - _time
high severity medium confidence

Detects successful AWS CloudTrail resource creation events in regions not matching the organization's approved region list. Evaluates events across compute, storage, networking, database, serverless, and IAM categories. A risk score is calculated based on resource type sensitivity (IAM > compute > storage), identity type (root account usage is highest risk), and whether the caller is a human identity versus a machine role. Update the approved regions regex pattern to match your actual AWS footprint. For Azure cloud resources in Splunk, use sourcetype=mscs:azure:activity or azure:monitor:activity with equivalent logic.

Data Sources

Cloud: Cloud Infrastructure ModificationCloud: Cloud ServiceAWS CloudTrail

Required Sourcetypes

aws:cloudtrailamazon:cloudtrail

False Positives & Tuning

  • Legitimate cloud expansion projects deploying to new regions for disaster recovery, latency optimization, or data residency compliance requirements where the approved region regex has not been updated
  • Development and QA teams spinning up temporary infrastructure in non-production regions for performance benchmarking or compliance testing
  • Infrastructure-as-code automation pipelines deploying resources to new regions during an approved rollout without corresponding detection rule updates
  • Third-party managed service providers or SaaS vendors creating resources in their operationally preferred regions on behalf of the organization
  • Machine identities (Lambda execution roles, EC2 instance profiles) making cross-region API calls for legitimate data replication or failover workflows
Download portable Sigma rule (.yml)

Other platforms for T1535

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AWS EC2 Instance Launch in Unused Region

    Expected signal: AWS CloudTrail EventName=RunInstances in region ap-southeast-1. UserIdentityArn shows the calling principal. RequestParameters will include imageId, instanceType, and maxCount. This event appears in both regional CloudTrail (if enabled in ap-southeast-1) and the global management events endpoint in us-east-1.

  2. Test 2AWS S3 Bucket Creation in Unused Region

    Expected signal: AWS CloudTrail EventName=CreateBucket in region sa-east-1. The requestParameters field includes the bucket name and LocationConstraint. This event is captured in CloudTrail management events regardless of whether regional CloudTrail is enabled in sa-east-1.

  3. Test 3AWS IAM Access Key Creation via Unused Region API Endpoint

    Expected signal: AWS CloudTrail EventName=CreateUser and EventName=CreateAccessKey. UserIdentityArn shows the calling principal. Even though IAM is global, these events should be correlated with the unusual region activity detected in other tests — a pattern of unusual region compute creation followed by IAM key creation is a high-confidence compromise indicator.

  4. Test 4Azure Resource Group Creation in Unused Region

    Expected signal: Azure Activity Log OperationNameValue=Microsoft.Resources/resourceGroups/write with ActivityStatusValue=Succeeded. The Caller field shows the authenticated principal's UPN or service principal ID. CallerIpAddress records the source IP. Properties contains the location field 'japaneast' which the KQL extraction regex will parse.

Last updated: 2026-04-20 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1535 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1496Resource HijackingT1078.004Cloud AccountsT1578Modify Cloud Compute InfrastructureT1578.002Create Cloud InstanceT1537Transfer Data to Cloud AccountT1098.001Additional Cloud CredentialsT1562.008Disable or Modify Cloud LogsT1136.003Cloud AccountT1580Cloud Infrastructure Discovery

Same Tactic: Defense Evasion

Popular Detections