AWS Lambda Function Invoked by an Unusual Principal

  1[metadata]
  2creation_date = "2026/06/18"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/06/18"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the first time within the prior 14 days that a principal directly invokes an AWS Lambda function in an
 11account, excluding invocations made on behalf of AWS services (normal event-source triggers). Adversaries who compromise
 12credentials or move laterally may directly invoke functions to execute code, retrieve data returned by a function, or
 13abuse an over-permissioned execution role. Direct, ad hoc invocation by a principal that does not normally call Lambda
 14deviates from the usual event-driven invocation pattern and is worth reviewing. This rule relies on AWS Lambda data
 15event logging, which is not enabled by default.
 16"""
 17false_positives = [
 18    """
 19    Developers, operators, and CI/CD or automation identities legitimately invoke functions directly for testing,
 20    operations, and deployments. New automation roles or first-time operators will generate this alert. Verify the
 21    principal in `aws.cloudtrail.user_identity.arn`, the function, and the source before treating it as malicious, and
 22    exclude known operational identities after validation.
 23    """,
 24]
 25from = "now-6m"
 26index = ["logs-aws.cloudtrail-*"]
 27interval = "5m"
 28language = "kuery"
 29license = "Elastic License v2"
 30name = "AWS Lambda Function Invoked by an Unusual Principal"
 31note = """## Triage and analysis
 32
 33### Investigating AWS Lambda Function Invoked by an Unusual Principal
 34
 35Most Lambda invocations are driven by event sources (S3, EventBridge, SQS, API Gateway, etc.), which CloudTrail records with `aws.cloudtrail.user_identity.invoked_by` set to the calling service. A principal invoking a function **directly** (via the SDK, CLI, or console) is comparatively rare and, when it comes from an identity that does not normally do so, can indicate lateral movement, credential abuse, or data retrieval from a function. This rule uses a new terms approach to surface the first time a given principal directly invokes a function in an account within the prior 14 days.
 36
 37### Possible investigation steps
 38
 39- Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `aws.cloudtrail.user_identity.access_key_id` to identify the actor, and `source.ip` / `user_agent.original` to determine how the call was made.
 40- Inspect `aws.cloudtrail.request_parameters` for the `functionName` and map it to its application, owner, and sensitivity.
 41- Determine whether the principal is expected to invoke functions directly and whether the activity aligns with an approved operation, test, or deployment.
 42- Correlate with recent activity by the same principal or access key, such as credential issuance, role assumption, or other data-plane access, and check whether the credential was recently seen from an unusual source.
 43
 44### False positive analysis
 45
 46- Direct invocation is a normal operational and testing activity. Confirm whether the principal is a known operator or automation identity and exclude it on `aws.cloudtrail.user_identity.arn` after validation.
 47
 48### Response and remediation
 49
 50- If the invocation is unauthorized, review what the function returns and accesses, and assess data exposure.
 51- Rotate or restrict credentials for the principal if compromise is suspected, and constrain `lambda:InvokeFunction` to the identities and services that require it.
 52
 53### Additional information
 54
 55- [Invoke API](https://docs.aws.amazon.com/lambda/latest/api/API_Invoke.html)
 56- [Logging Lambda data events with CloudTrail](https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html)
 57"""
 58references = [
 59    "https://docs.aws.amazon.com/lambda/latest/api/API_Invoke.html",
 60    "https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html",
 61]
 62risk_score = 47
 63rule_id = "07cd35a6-c267-4394-a782-6a9428aea9d3"
 64setup = """## Setup
 65
 66This rule requires AWS Lambda data events to be logged in CloudTrail and ingested via the AWS integration
 67(`aws.cloudtrail` data stream). Lambda invocation (`Invoke`) is a data-plane event and is NOT logged by default; enable
 68data event logging for Lambda functions in the trail (optionally scoped to sensitive functions to manage volume).
 69"""
 70severity = "medium"
 71tags = [
 72    "Domain: Cloud",
 73    "Data Source: AWS",
 74    "Data Source: Amazon Web Services",
 75    "Data Source: AWS Lambda",
 76    "Use Case: Threat Detection",
 77    "Tactic: Execution",
 78    "Resources: Investigation Guide",
 79]
 80timestamp_override = "event.ingested"
 81type = "new_terms"
 82
 83query = '''
 84data_stream.dataset: "aws.cloudtrail"
 85    and event.provider: "lambda.amazonaws.com"
 86    and event.action: Invoke*
 87    and event.outcome: "success"
 88    and not aws.cloudtrail.user_identity.invoked_by: *
 89    and aws.cloudtrail.user_identity.arn: *
 90'''
 91
 92
 93[[rule.threat]]
 94framework = "MITRE ATT&CK"
 95[[rule.threat.technique]]
 96id = "T1648"
 97name = "Serverless Execution"
 98reference = "https://attack.mitre.org/techniques/T1648/"
 99
100
101[rule.threat.tactic]
102id = "TA0002"
103name = "Execution"
104reference = "https://attack.mitre.org/tactics/TA0002/"
105
106[rule.investigation_fields]
107field_names = [
108    "@timestamp",
109    "user.name",
110    "user_agent.original",
111    "source.ip",
112    "source.as.organization.name",
113    "source.geo.country_name",
114    "aws.cloudtrail.user_identity.arn",
115    "aws.cloudtrail.user_identity.type",
116    "aws.cloudtrail.user_identity.access_key_id",
117    "aws.cloudtrail.user_identity.session_context.session_issuer.arn",
118    "aws.cloudtrail.request_parameters",
119    "event.action",
120    "event.outcome",
121    "cloud.account.id",
122    "cloud.region",
123]
124
125[rule.new_terms]
126field = "new_terms_fields"
127value = ["cloud.account.id", "user.name"]
128[[rule.new_terms.history_window_start]]
129field = "history_window_start"
130value = "now-7d"