Suspicious Cloud Authentication Activities

Try in Splunk Security Cloud

Description

Monitor your cloud authentication events. Searches within this Analytic Story leverage the recent cloud updates to the Authentication data model to help you stay aware of and investigate suspicious login activity.

• Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Authentication
• Last Updated: 2020-06-04
• Author: Rico Valdez, Splunk
• ID: 6380ebbb-55c5-4fce-b754-01fd565fb73c

Narrative

It is important to monitor and control who has access to your cloud infrastructure. Detecting suspicious logins will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any compute activity whether legitimate or otherwise.
This Analytic Story has data model versions of cloud searches leveraging Authentication data, including those looking for suspicious login activity, and cross-account activity for AWS.

Detections

Name	Technique	Type
AWS Cross Account Activity From Previously Unseen Account		Anomaly
Detect AWS Console Login by New User	Compromise Accounts, Cloud Accounts, Unsecured Credentials	Hunting
Detect AWS Console Login by User from New City	Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions	Hunting
Detect AWS Console Login by User from New Country	Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions	Hunting
Detect AWS Console Login by User from New Region	Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions	Hunting

Reference

• https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/
• https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html

source | version: 1