T1648 Serverless Execution Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let lookback = 1d;
// AWS Lambda abuse via CloudTrail
let LambdaAbuse = AWSCloudTrail
| where TimeGenerated > ago(lookback)
| where EventSource == "lambda.amazonaws.com"
| where EventName in~ (
    "CreateFunction20150331",
    "UpdateFunctionCode20150331v2",
    "AddPermission20150331v2",
    "CreateEventSourceMapping",
    "UpdateFunctionConfiguration20150331v2"
)
| extend Actor = coalesce(UserIdentityArn, UserIdentityUserName)
| extend SourceIP = SourceIpAddress
| extend FunctionName = tostring(RequestParameters.functionName)
| extend FunctionRole = tostring(RequestParameters.role)
| extend Runtime = tostring(RequestParameters.runtime)
| extend RiskScore = case(
    EventName == "AddPermission20150331v2", 80,
    EventName == "CreateEventSourceMapping", 75,
    EventName == "UpdateFunctionCode20150331v2", 70,
    FunctionRole has_any ("Admin", "PowerUser", "FullAccess"), 90,
    65
)
| project TimeGenerated, Platform="AWS Lambda", Actor, SourceIP,
    Action=EventName, ResourceName=FunctionName,
    ExtraDetail=strcat("Role: ", FunctionRole, " | Runtime: ", Runtime),
    RiskScore, TenantOrAccount=RecipientAccountId, Region=AWSRegion;
// Azure Functions creation/modification
let AzureFuncAbuse = AzureActivity
| where TimeGenerated > ago(lookback)
| where OperationNameValue has_any (
    "microsoft.web/sites/write",
    "microsoft.web/sites/functions/write",
    "microsoft.web/sites/config/write"
)
| where ActivityStatusValue == "Success"
| where ResourceProvider == "MICROSOFT.WEB"
| extend Actor = Caller
| extend SourceIP = CallerIpAddress
| extend RiskScore = 70
| project TimeGenerated, Platform="Azure Functions", Actor, SourceIP,
    Action=OperationNameValue, ResourceName=ResourceId,
    ExtraDetail=tostring(Properties), RiskScore,
    TenantOrAccount=SubscriptionId, Region=ResourceGroup;
// Power Automate suspicious flow activity (M365 / CloudAppEvents)
let PowerAutomate = CloudAppEvents
| where TimeGenerated > ago(lookback)
| where Application == "Microsoft Power Automate"
| where ActionType in ("CreateFlow", "UpdateFlow", "EnableFlow", "ShareFlow")
| extend Actor = AccountUpn
| extend SourceIP = IPAddress
| extend FlowName = tostring(RawEventData.flowName)
| extend TriggerType = tostring(RawEventData.triggerType)
| extend RiskScore = case(
    ActionType == "ShareFlow", 75,
    ActionType == "EnableFlow", 70,
    ActionType == "CreateFlow", 65,
    60
)
| project TimeGenerated, Platform="Power Automate", Actor, SourceIP,
    Action=ActionType, ResourceName=FlowName,
    ExtraDetail=strcat("Trigger: ", TriggerType),
    RiskScore, TenantOrAccount=tostring(AccountObjectId), Region="M365";
// Union all platforms and surface highest risk events
union LambdaAbuse, AzureFuncAbuse, PowerAutomate
| order by RiskScore desc, TimeGenerated desc
| project TimeGenerated, Platform, Actor, SourceIP, Action, ResourceName, ExtraDetail, RiskScore, TenantOrAccount, Region

high severity medium confidence

Data Sources

AWS CloudTrail (Sentinel Connector) Azure Activity Logs Microsoft Defender for Cloud Apps / CloudAppEvents

Required Tables

AWSCloudTrail AzureActivity CloudAppEvents

False Positives

Legitimate DevOps CI/CD pipelines (GitHub Actions, Jenkins, AWS CodePipeline) using service accounts to regularly deploy Lambda or Azure Function updates as part of normal SDLC workflows
Infrastructure-as-code tooling (Terraform, AWS CDK, Pulumi, Bicep) creating or updating serverless resources during planned deployments — these typically originate from known CI/CD source IPs with consistent timing patterns
IT or business teams creating Power Automate flows for approved process automation such as SharePoint approval workflows, Teams notifications, or internal HR onboarding processes

Splunk

spl

(index=* sourcetype="aws:cloudtrail"
    eventSource="lambda.amazonaws.com"
    eventName IN ("CreateFunction20150331", "UpdateFunctionCode20150331v2",
                  "AddPermission20150331v2", "CreateEventSourceMapping",
                  "UpdateFunctionConfiguration20150331v2"))
OR (index=* sourcetype="azure:activity"
    (operationName="Create or Update Web App"
     OR operationName="Create or Update Site Functions")
    status="Succeeded")
OR (index=* sourcetype="o365:management:activity"
    Workload="MicrosoftFlow"
    Operation IN ("CreateFlow", "UpdateFlow", "EnableFlow", "ShareFlow"))
| eval platform=case(
    sourcetype=="aws:cloudtrail", "AWS Lambda",
    sourcetype=="azure:activity", "Azure Functions",
    sourcetype=="o365:management:activity", "Power Automate",
    1=1, "Unknown"
)
| eval actor=coalesce('userIdentity.arn', 'userIdentity.userName', caller, UserId, "unknown")
| eval source_ip=coalesce(sourceIPAddress, callerIpAddress, ClientIP, "unknown")
| eval function_name=coalesce('requestParameters.functionName', resourceId, flowName, "unknown")
| eval function_role=coalesce('requestParameters.role', "N/A")
| eval action=coalesce(eventName, operationName, Operation, "unknown")
| eval risk_score=case(
    action=="AddPermission20150331v2", 80,
    action=="CreateEventSourceMapping", 75,
    action=="UpdateFunctionCode20150331v2", 70,
    match(function_role, "(?i)(admin|poweruser|fullaccess|administrator)"), 90,
    action=="ShareFlow", 75,
    action IN ("CreateFunction20150331", "CreateFlow"), 65,
    1=1, 50
)
| table _time, platform, actor, source_ip, action, function_name, function_role, risk_score, awsRegion, recipientAccountId
| sort -risk_score, -_time

high severity medium confidence

Data Sources

AWS CloudTrail Azure Activity Logs Office 365 Management Activity

Required Sourcetypes

aws:cloudtrail azure:activity o365:management:activity

False Positives

Automated CI/CD service accounts (AWS CodeBuild roles, Azure DevOps service principals) that regularly perform Lambda UpdateFunctionCode or Azure Function deployments as part of normal release pipelines
AWS SAM CLI or Serverless Framework deployments that create multiple Lambda functions, IAM roles, and event source mappings simultaneously during a single stack deployment
Power Automate flows created by IT-approved service accounts in the Default environment for standard enterprise automation tasks such as Teams channel notifications or SharePoint document routing

Elastic Security (EQL)

eql

any where event.dataset == "aws.cloudtrail" and (
  event.action in (
    "CreateFunction20150331", "UpdateFunctionCode20150331v2",
    "LeaveOrganization", "CreateAccount", "SendCommand"
  ) and event.outcome == "success"
) and not aws.cloudtrail.user_identity.type == "AWSService"

high severity medium confidence

Data Sources

AWS CloudTrail Elastic AWS Integration

Required Tables

logs-aws.cloudtrail-*

False Positives

Legitimate DevOps CI/CD pipelines (GitHub Actions, Jenkins, AWS CodePipeline) using service accounts to regularly deploy Lambda or Azure Function updates as part of normal SDLC workflows
Infrastructure-as-code tooling (Terraform, AWS CDK, Pulumi, Bicep) creating or updating serverless resources during planned deployments — these typically originate from known CI/CD source IPs with consistent timing patterns
IT or business teams creating Power Automate flows for approved process automation such as SharePoint approval workflows, Teams notifications, or internal HR onboarding processes

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS ActorIdentity,
    sourceip AS SourceIP,
    "EventName" AS AWSEventName,
    "AWSRegion" AS Region,
    CASE
        WHEN "EventName" = 'LeaveOrganization' THEN 100
        WHEN "EventName" = 'DeleteOrganization' THEN 100
        WHEN "EventName" = 'CreateAccount' THEN 70
        WHEN "EventName" ILIKE '%delete%' THEN 80
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Amazon Web Services CloudTrail')
    AND "EventName" IN ('LeaveOrganization','CreateAccount','SendCommand','MoveAccount',
                        'CreateFunction20150331','UpdateFunctionCode20150331v2')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

Legitimate DevOps CI/CD pipelines (GitHub Actions, Jenkins, AWS CodePipeline) using service accounts to regularly deploy Lambda or Azure Function updates as part of normal SDLC workflows
Infrastructure-as-code tooling (Terraform, AWS CDK, Pulumi, Bicep) creating or updating serverless resources during planned deployments — these typically originate from known CI/CD source IPs with consistent timing patterns
IT or business teams creating Power Automate flows for approved process automation such as SharePoint approval workflows, Teams notifications, or internal HR onboarding processes

Sumo Logic CSE

sql

_sourceCategory=aws/cloudtrail
| json auto
| where event_name in ("LeaveOrganization","CreateAccount","SendCommand","MoveAccount",
    "CreateFunction20150331","UpdateFunctionCode20150331v2","AddPermission20150331v2")
| where !(error_code matches /.+/)
| if(event_name = "LeaveOrganization", 100,
    if(event_name matches /(Delete|Remove)/i, 85,
    if(event_name = "CreateAccount", 70, 60))) as risk_score
| if(user_identity_type = "AssumedRole", "true", "false") as assumed_role
| where risk_score >= 60
| count by user_identity_arn, event_name, aws_region, source_ip_address, risk_score
| sort - risk_score

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=aws/cloudtrail

False Positives

Legitimate DevOps CI/CD pipelines (GitHub Actions, Jenkins, AWS CodePipeline) using service accounts to regularly deploy Lambda or Azure Function updates as part of normal SDLC workflows
Infrastructure-as-code tooling (Terraform, AWS CDK, Pulumi, Bicep) creating or updating serverless resources during planned deployments — these typically originate from known CI/CD source IPs with consistent timing patterns
IT or business teams creating Power Automate flows for approved process automation such as SharePoint approval workflows, Teams notifications, or internal HR onboarding processes

Google Chronicle / SecOps

yaral

rule detection_t1648 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Serverless Execution AWS activity - T1648"
    severity = "HIGH"
    mitre_attack = "T1648"
    reference = "https://attack.mitre.org/techniques/T1648/"

  events:
    $e.metadata.event_type = "RESOURCE_CREATION"
    $e.principal.user.userid = $actor
    $e.principal.ip = $source_ip
    $e.target.resource.name = $resource
    (
      $e.metadata.product_event_type in
        ("LeaveOrganization", "CreateAccount", "SendCommand",
         "CreateFunction20150331", "UpdateFunctionCode20150331v2") and
      $e.metadata.vendor_name = "AMAZON"
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

AWS CloudTrail

Required Tables

RESOURCE_CREATION

False Positives

Legitimate DevOps CI/CD pipelines (GitHub Actions, Jenkins, AWS CodePipeline) using service accounts to regularly deploy Lambda or Azure Function updates as part of normal SDLC workflows
Infrastructure-as-code tooling (Terraform, AWS CDK, Pulumi, Bicep) creating or updating serverless resources during planned deployments — these typically originate from known CI/CD source IPs with consistent timing patterns
IT or business teams creating Power Automate flows for approved process automation such as SharePoint approval workflows, Teams notifications, or internal HR onboarding processes

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "CloudAuditEvent"
| EventName in ["LeaveOrganization", "CreateAccount", "SendCommand",
    "CreateFunction20150331", "UpdateFunctionCode20150331v2",
    "AddPermission20150331v2", "CreateEventSourceMapping"]
| !ErrorCode = *
| case {
    EventName = "LeaveOrganization" | RiskScore := "Critical" ;
    EventName in ["CreateAccount", "UpdateFunctionCode20150331v2"] | RiskScore := "High" ;
    * | RiskScore := "Medium"
}
| table([UserARN, EventName, EventSource, SourceIPAddress, AWSRegion, RiskScore, @timestamp])
| sort(@timestamp, order=desc, limit=100)

high severity medium confidence

Data Sources

CrowdStrike Falcon Cloud Security

Required Tables

CloudAuditEvent

False Positives

Legitimate DevOps CI/CD pipelines (GitHub Actions, Jenkins, AWS CodePipeline) using service accounts to regularly deploy Lambda or Azure Function updates as part of normal SDLC workflows
Infrastructure-as-code tooling (Terraform, AWS CDK, Pulumi, Bicep) creating or updating serverless resources during planned deployments — these typically originate from known CI/CD source IPs with consistent timing patterns
IT or business teams creating Power Automate flows for approved process automation such as SharePoint approval workflows, Teams notifications, or internal HR onboarding processes

Serverless Execution

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Execution

Popular Detections