Try in Splunk Security Cloud


This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment.

  • Type: TTP
  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2021-04-13
  • Author: Patrick Bareiss, Splunk
  • ID: 1fdd164a-def8-4762-83a9-9ffe24e74d5a


ID Technique Tactic
T1526 Cloud Service Discovery Discovery
`cloudtrail` eventName=Describe* OR eventName=List* OR eventName=Get*  
| stats dc(eventName) as dc_events min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName values(src) as src values(userAgent) as userAgent by user userIdentity.arn 
| where dc_events > 50 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`

Associated Analytic Story

How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.

Required field

  • _time
  • eventName
  • src
  • userAgent
  • user
  • userIdentity.arn

Kill Chain Phase

  • Actions on Objectives

Known False Positives

While this search has no known false positives.


Risk Score Impact Confidence Message
18.0 30 60 user $user$ has excessive number of api calls $dc_events$ from these IP addresses $src$, violating the threshold of 50, using the following commands $command$.


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1