Analytics Story: Suspicious AWS EC2 Activities

Date: 2018-02-09 ID: 2e8948a5-5239-406b-b56b-6c50f1268af3 Author: Bhavin Patel, Splunk Product: Splunk Enterprise Security

Description

Use the searches in this Analytic Story to monitor your AWS EC2 instances for evidence of anomalous activity and suspicious behaviors, such as EC2 instances that originate from unusual locations or those launched by previously unseen users (among others). Included investigative searches will help you probe more deeply, when the information warrants it.

Why it matters

AWS CloudTrail is an AWS service that helps you enable governance, compliance, and risk auditing within your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Console, AWS command-line interface, and AWS SDKs and APIs to ensure that your EC2 instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your AWS EC2 instances and helps you respond and investigate those activities.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Abnormally High AWS Instances Launched by User	Cloud Accounts	Anomaly
Abnormally High AWS Instances Launched by User - MLTK	Cloud Accounts	Anomaly
Abnormally High AWS Instances Terminated by User	Cloud Accounts	Anomaly
Abnormally High AWS Instances Terminated by User - MLTK	Cloud Accounts	Anomaly
EC2 Instance Started In Previously Unseen Region	Unused/Unsupported Cloud Regions	Anomaly
EC2 Instance Started With Previously Unseen User	Cloud Accounts	Anomaly

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼

References

https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf

Source: GitHub | Version: 1