Analytics Story: Suspicious Cloud Instance Activities
Description
Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.
Why it matters
Monitoring your cloud infrastructure logs allows you enable governance, compliance, and risk auditing. It is crucial for a company to monitor events and actions taken in the their cloud environments to ensure that your instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your cloud compute instances and helps you respond and investigate those activities.
Correlation Search
1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count values(All_Risk.risk_message) as risk_message from datamodel=Risk.All_Risk where All_Risk.annotations.mitre_attack.mitre_tactic = "collection" OR All_Risk.annotations.mitre_attack.mitre_tactic = "exfiltration" source = *AWS* by All_Risk.risk_object | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 2 and mitre_tactic_id_count>=2 | `aws_s3_exfiltration_behavior_identified_filter`
Detections
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
AWS CloudTrail | AWS | aws:cloudtrail |
aws_cloudtrail |
AWS CloudTrail CreateSnapshot | AWS | aws:cloudtrail |
aws_cloudtrail |
AWS CloudTrail DeleteSnapshot | AWS | aws:cloudtrail |
aws_cloudtrail |
AWS CloudTrail ModifyImageAttribute | AWS | aws:cloudtrail |
aws_cloudtrail |
AWS CloudTrail ModifySnapshotAttribute | AWS | aws:cloudtrail |
aws_cloudtrail |
References
Source: GitHub | Version: 1