Try in Splunk Security Cloud

Description

The following analytic detects API calls made to an S3 bucket when bucket replication services are enabled. S3 bucket replication is a feature offered by Amazon Web Services (AWS) that allows you to automatically and asynchronously copy data from one S3 bucket to another in the same or different region.
S3 bucket replication can also be used for cross-account replication, where data is replicated from a source bucket owned by one AWS account to a destination bucket owned by a different AWS account.

  • Type: TTP

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

  • Last Updated: 2023-04-28
  • Author: Bhavin Patel, Splunk
  • ID: eeb432d6-2212-43b6-9e89-fcd753f7da4c

Annotations

ATT&CK

ATT&CK

ID Technique Tactic
T1537 Transfer Data to Cloud Account Exfiltration
Kill Chain Phase
  • Actions On Objectives
NIST
  • DE.CM
CIS20
  • CIS 10
CVE 


1
2
3
4



`cloudtrail`  eventName = PutBucketReplication eventSource = s3.amazonaws.com 
|  rename requestParameters.* as * 
| stats count values(bucketName) as source_bucket values(ReplicationConfiguration.Rule.ID) as rule_id values(ReplicationConfiguration.Rule.Destination.Bucket) as destination_bucket by _time user_arn userName user_type src_ip aws_account_id userIdentity.principalId user_agent 
| `aws_exfiltration_via_ec2_snapshot_filter`

Macros

The SPL above uses the following Macros:

:information_source: aws_exfiltration_via_bucket_replication_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • _time
  • eventName
  • user_arn
  • src_ip
  • eventSource
  • requestParameters.*
  • aws_account_id
  • vendor_region
  • user_agent
  • userIdentity.principalId

How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.

Known False Positives

It is possible that an AWS admin has legitimately implemented data replication to ensure data availability and improve data protection/backup strategies.

Associated Analytic Story

RBA

Risk Score Impact Confidence Message
64.0 80 80 AWS Bucket Replication rule $rule$ added on $source_bucket$ to $destination_bucket$ by user $user_arn$ from IP Address - $src_ip$

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1