Analytics Story: Suspicious Cloud Instance Activities

Date: 2020-08-25 ID: 8168ca88-392e-42f4-85a2-767579c660ce Author: David Dorsey, Splunk Product: Splunk Enterprise Security

Description

Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.

Why it matters

Monitoring your cloud infrastructure logs allows you enable governance, compliance, and risk auditing. It is crucial for a company to monitor events and actions taken in the their cloud environments to ensure that your instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your cloud compute instances and helps you respond and investigate those activities.

Correlation Search

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count values(All_Risk.risk_message) as risk_message  from datamodel=Risk.All_Risk where All_Risk.annotations.mitre_attack.mitre_tactic = "collection" OR All_Risk.annotations.mitre_attack.mitre_tactic = "exfiltration" source = *AWS*  by All_Risk.risk_object | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 2 and mitre_tactic_id_count>=2 | `aws_s3_exfiltration_behavior_identified_filter`

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Abnormally High Number Of Cloud Instances Destroyed	Cloud Accounts, Valid Accounts	Anomaly
Abnormally High Number Of Cloud Instances Launched	Cloud Accounts, Valid Accounts	Anomaly
AWS AMI Attribute Modification for Exfiltration	Transfer Data to Cloud Account	TTP
AWS EC2 Snapshot Shared Externally	Transfer Data to Cloud Account	TTP
AWS Exfiltration via EC2 Snapshot	Transfer Data to Cloud Account	TTP
Cloud Instance Modified By Previously Unseen User	Cloud Accounts, Valid Accounts	Anomaly

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
AWS CloudTrail	AWS	`aws:cloudtrail`	`aws_cloudtrail`
AWS CloudTrail CreateSnapshot	AWS	`aws:cloudtrail`	`aws_cloudtrail`
AWS CloudTrail DeleteSnapshot	AWS	`aws:cloudtrail`	`aws_cloudtrail`
AWS CloudTrail ModifyImageAttribute	AWS	`aws:cloudtrail`	`aws_cloudtrail`
AWS CloudTrail ModifySnapshotAttribute	AWS	`aws:cloudtrail`	`aws_cloudtrail`

References

https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf

Source: GitHub | Version: 1