Suspicious activity

Stop EC2 instance API call was made from Tor IP address

Risk Level

Imminent Compromised (2)



Orca detected that an API call to stop EC2 instance was made from Tor IP address - {MaliciousIp.MaliciousIp}. This action may indicate of a presence of an unauthorized actor in the cloud environment, since stopping the EC2 instances API call was sourced from Tor IP address.
  • Recommended Mitigation

    It is recommended to review relevant CloudTrail event and principal's activity that issued this API call.