Analytics Story: AWS Suspicious Provisioning Activities

Date: 2018-03-16 ID: 3338b567-3804-4261-9889-cf0ca4753c7f Author: David Dorsey, Splunk Product: Splunk Enterprise Security

Description

Monitor your AWS provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your network.

Why it matters

Because most enterprise AWS activities originate from familiar geographic locations, monitoring for activity from unknown or unusual regions is an important security measure. This indicator can be especially useful in environments where it is impossible to add specific IPs to an allow list because they vary. This Analytic Story was designed to provide you with flexibility in the precision you employ in specifying legitimate geographic regions. It can be as specific as an IP address or a city, or as broad as a region (think state) or an entire country. By determining how precise you want your geographical locations to be and monitoring for new locations that haven't previously accessed your environment, you can detect adversaries as they begin to probe your environment. Since there are legitimate reasons for activities from unfamiliar locations, this is not a standalone indicator. Nevertheless, location can be a relevant piece of information that you may wish to investigate further.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
AWS Cloud Provisioning From Previously Unseen City	Unused/Unsupported Cloud Regions	Anomaly
AWS Cloud Provisioning From Previously Unseen Country	Unused/Unsupported Cloud Regions	Anomaly
AWS Cloud Provisioning From Previously Unseen IP Address	None	Anomaly
AWS Cloud Provisioning From Previously Unseen Region	Unused/Unsupported Cloud Regions	Anomaly

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼

References

https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf

Source: GitHub | Version: 1