Try in Splunk Security Cloud


Detect and investigate dormant user accounts for your AWS environment that have become active again. Because inactive and ad-hoc accounts are common attack targets, it’s critical to enable governance within your environment.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2018-03-12
  • Author: Bhavin Patel, Splunk
  • ID: 2e8948a5-5239-406b-b56b-6c50f1269af3


It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it’s all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla’s cryptojacking attack in February, 2018. In addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new EC2 instances and increased bandwidth usage. Fortunately, you can leverage Amazon Web Services (AWS) CloudTrail–a tool that helps you enable governance, compliance, and risk auditing of your AWS account–to give you increased visibility into your user and resource activity by recording AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred. The detection searches in this Analytic Story are designed to help you uncover AWS API activities from users not listed in the identity table, as well as similar activities from disabled accounts.


Name Technique Type
ASL AWS Excessive Security Scanning Cloud Service Discovery Anomaly
AWS Excessive Security Scanning Cloud Service Discovery TTP
Detect API activity from users without MFA   Hunting
Detect AWS API Activities From Unapproved Accounts Cloud Accounts Hunting
Detect Spike in AWS API Activity Cloud Accounts Anomaly
Detect Spike in Security Group Activity Cloud Accounts Anomaly
Detect new API calls from user roles Cloud Accounts Anomaly


source | version: 1