This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment.
- Type: TTP
- Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2021-04-13
- Author: Patrick Bareiss, Splunk
- ID: 1fdd164a-def8-4762-83a9-9ffe24e74d5a
|T1526||Cloud Service Discovery||Discovery|
`cloudtrail` eventName=Describe* OR eventName=List* OR eventName=Get* | stats dc(eventName) as dc_events min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName values(src) as src values(userAgent) as userAgent by user userIdentity.arn | where dc_events > 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_excessive_security_scanning_filter`
Associated Analytic Story
How To Implement
You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.
Kill Chain Phase
- Actions on Objectives
Known False Positives
While this search has no known false positives.
|18.0||30||60||user $user$ has excessive number of api calls $dc_events$ from these IP addresses $src$, violating the threshold of 50, using the following commands $command$.|
source | version: 1