Try in Splunk Security Cloud

Description

This search looks for new commands from each user role.

Annotations

ATT&CK
ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
Kill Chain Phase
  • Actions on Objectives
NIST
  • ID.AM
CIS20
  • CIS 1
CVE
1
2
3
4
5
6
7
8
9
10
11
12
| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where All_Changes.user_type=AssumedRole AND All_Changes.status=success by All_Changes.user, All_Changes.command All_Changes.object 
| `drop_dm_object_name("All_Changes")` 
| lookup previously_seen_cloud_api_calls_per_user_role user as user, command as command OUTPUT firstTimeSeen, enough_data 
| eventstats max(enough_data) as enough_data 
| where enough_data=1 
| eval firstTimeSeenUserApiCall=min(firstTimeSeen) 
| where isnull(firstTimeSeenUserApiCall) OR firstTimeSeenUserApiCall > relative_time(now(),"-24h@h") 
| table firstTime, user, object, command 
|`security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `cloud_api_calls_from_previously_unseen_user_roles_filter`

Macros

The SPL above uses the following Macros:

Note that cloud_api_calls_from_previously_unseen_user_roles_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Lookups

The SPL above uses the following Lookups:

Required field

  • _time
  • All_Changes.user
  • All_Changes.user_type
  • All_Changes.status
  • All_Changes.command
  • All_Changes.object

How To Implement

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search Previously Seen Cloud API Calls Per User Role - Initial to build the initial table of user roles, commands, and times. You must also enable the second baseline search Previously Seen Cloud API Calls Per User Role - Update to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the cloud_api_calls_from_previously_unseen_user_roles_activity_window macro. You can also provide additional filtering for this search by customizing the cloud_api_calls_from_previously_unseen_user_roles_filter

Known False Positives

.

Associated Analytic story

RBA

Risk Score Impact Confidence Message
36.0 60 60 User $user$ of type AssumedRole attempting to execute new API calls $command$ that have not been seen before

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1