Try in Splunk Security Cloud

Description

Use the searches in this Analytic Story to monitor your AWS EC2 instances for evidence of anomalous activity and suspicious behaviors, such as EC2 instances that originate from unusual locations or those launched by previously unseen users (among others). Included investigative searches will help you probe more deeply, when the information warrants it.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2018-02-09
  • Author: Bhavin Patel, Splunk
  • ID: 2e8948a5-5239-406b-b56b-6c50f1268af3

Narrative

AWS CloudTrail is an AWS service that helps you enable governance, compliance, and risk auditing within your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Console, AWS command-line interface, and AWS SDKs and APIs to ensure that your EC2 instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your AWS EC2 instances and helps you respond and investigate those activities.

Detections

Name Technique Type
Abnormally High AWS Instances Launched by User Cloud Accounts Anomaly
Abnormally High AWS Instances Launched by User - MLTK Cloud Accounts Anomaly
Abnormally High AWS Instances Terminated by User Cloud Accounts Anomaly
Abnormally High AWS Instances Terminated by User - MLTK Cloud Accounts Anomaly
EC2 Instance Started In Previously Unseen Region Unused/Unsupported Cloud Regions Anomaly
EC2 Instance Started With Previously Unseen User Cloud Accounts Anomaly

Reference

source | version: 1