This rule detects the deletion of the specified cluster. Impact An unauthorized change or deletion of a Cluster could indicate malicious activity. Mitigation Inspect the user who deleted the cluster and verify if this was an authorized action. If not, Further investigate and revert changes. MITRE Tactic: TA0005 MITRE Technique: T1578

This rule detects execution of a command inside an ECS container. Impact Command executed by the anonymous user could indicate malicious activity. Mitigation Review the command which has been executed and determine how could an anonymous user execute command. Revert all the changes and investigate further and perform root cause analysis. MITRE Tactic: TA0001 MITRE Technique: T1078

This rule detects if a task is stopped in ECS. Impact An unauthorized stop action on a task could indicate malicious activity. Mitigation Review the task which has been stopped and determine if the action was approved. Revert changes if the user making the changes wasn't authorized and investigate further why it was stopped. MITRE Tactic: TA0003 MITRE Technique: T1053

This rule detects if a service is deleted in ECS. Impact An unauthorized change or deletion of a service could indicate malicious activity. Mitigation Review the deleted service and determine if the action was approved. Revert changes if the user making the changes wasn't authorized and investigate further why it was deleted. MITRE Tactic: TA0005 MITRE Technique: T1578

This rule detects if a new task is started in ECS. Impact An unauthorized run or start action on a task could indicate malicious activity. Mitigation Review the task which has been started or run and determine if the action was approved. Revert changes if the user making the changes wasn't authorized and investigate further why it was started or run. MITRE Tactic: TA0003 MITRE Technique: T1053

This rule detects if a new service is created in ECS. Impact An unauthorized creation of a service could indicate malicious activity. Mitigation Inspect the user who created the service and verify if this was an authorized action. If not, Further investigate and revert changes. MITRE Tactic: TA0005 MITRE Technique: T1578

This alert will trigger when an AWS API call for RegisterTaskDefinition on ECS is logged, with container definition values for CPU and Memory exceeding a certain threshold that is considered safe. Impact An attacker may register a task definition with resource-intensive parameters (Many CPUs, large memory allocation), leading to resource exhaustion Mitigation Review the alert details, determine the identity of the user who performed this action and confirm its intentions. Check if same user performed any additional activities on other AWS services at the same time. MITRE Tactic: TA0040 MITRE Technique: T1496

This alert will trigger when an AWS API call for RunTask on ECS is logged, with a high TaskCount value. Impact An attacker may attempt to exhaust resources by running an unusually high number of tasks within an ECS cluster. Mitigation Review the alert details, determine the identity of the user who performed this action and confirm its intentions. Check if same user performed any additional activities on other AWS services at the same time. MITRE Tactic: TA0040 MITRE Technique: T1496

This alert will trigger when an AWS API call for UpdateService on ECS is logged, with a high DesiredCount value. Impact An attacker may try to exhaust ECS cluster resources by increasing the desired count of a service to an unusually high value. Mitigation Review the alert details, determine the identity of the user who performed this action and confirm its intentions. Check if same user performed any additional activities on other AWS services at the same time. MITRE Tactic: TA0040 MITRE Technique: T1496