Try in Splunk Security Cloud

Description

Detect and investigate suspicious activities by users and roles in your cloud environments.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • Last Updated: 2020-09-04
  • Author: David Dorsey, Splunk
  • ID: 1ed5ce7d-5469-4232-92af-89d1a3595b39

Narrative

It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it’s all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla’s cryptojacking attack in February, 2018.
In addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new instances and increased bandwidth usage.

Detections

Name Technique Type
AWS IAM AccessDenied Discovery Events Cloud Infrastructure Discovery Anomaly
AWS Lambda UpdateFunctionCode User Execution Hunting
Abnormally High Number Of Cloud Infrastructure API Calls Cloud Accounts, Valid Accounts Anomaly
Abnormally High Number Of Cloud Security Group API Calls Cloud Accounts, Valid Accounts Anomaly
Cloud API Calls From Previously Unseen User Roles Valid Accounts Anomaly
Cloud Security Groups Modifications by User Modify Cloud Compute Configurations Anomaly

Reference

source | version: 1