Try in Splunk Security Cloud

Description

Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • Last Updated: 2020-08-25
  • Author: David Dorsey, Splunk
  • ID: 8168ca88-392e-42f4-85a2-767579c660ce

Narrative

Monitoring your cloud infrastructure logs allows you enable governance, compliance, and risk auditing. It is crucial for a company to monitor events and actions taken in the their cloud environments to ensure that your instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your cloud compute instances and helps you respond and investigate those activities.

Detections

Name Technique Type
Abnormally High Number Of Cloud Instances Destroyed Cloud Accounts, Valid Accounts Anomaly
Abnormally High Number Of Cloud Instances Launched Cloud Accounts, Valid Accounts Anomaly
Cloud Instance Modified By Previously Unseen User Cloud Accounts, Valid Accounts Anomaly
Detect shared ec2 snapshot Transfer Data to Cloud Account TTP

Reference

source | version: 1