Suspicious AWS Login Activities
Description
Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help you stay aware of and investigate suspicious logins.
- Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Authentication
- Last Updated: 2019-05-01
- Author: Bhavin Patel, Splunk
- ID: 2e8948a5-5239-406b-b56b-6c59f1268af3
Narrative
It is important to monitor and control who has access to your AWS infrastructure. Detecting suspicious logins to your AWS infrastructure will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any EC2 instances created by the attacker.
Detections
Reference
source | version: 1