Query Details
AWS GPU Instance Launch Detection
Query
//This query detects creation of GPU-enabled AWS instances
//Often used for crypto mining operations
AWSCloudTrail
| where Timegenerated <= ago(24h)
| where EventName contains "RunInstances"
| where tostring(parse_json(RequestParameters).instanceType) has_any ("p5","p4","p3","p2","dl1","trn1","inf2","inf1","g5g","g5","g4dn","g4ad","g3")
| extend instance= tostring(parse_json(RequestParameters).instanceType) Explanation
This query is designed to identify the creation of GPU-enabled AWS instances, which are often used for cryptocurrency mining. Here's a simple breakdown of what it does:
-
Data Source: It uses data from AWS CloudTrail, which logs AWS account activity.
-
Time Frame: It looks at events that occurred in the last 24 hours.
-
Event Filtering: It specifically searches for events where instances are being launched, indicated by the event name "RunInstances".
-
Instance Type Filtering: It checks if the type of instance being created is one of several specific types that are known to be GPU-enabled. These types include "p5", "p4", "p3", "p2", "dl1", "trn1", "inf2", "inf1", "g5g", "g5", "g4dn", "g4ad", and "g3".
-
Data Extraction: It extracts and labels the instance type for further analysis or reporting.
In summary, this query helps in monitoring and detecting the creation of specific GPU-enabled AWS instances that might be used for activities like crypto mining.
Details
Nikhil Jaisawal
Released: November 10, 2024
Tables
Keywords
Operators