Try in Splunk Security Cloud

Description

Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help you stay aware of and investigate suspicious logins.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication
  • Last Updated: 2019-05-01
  • Author: Bhavin Patel, Splunk
  • ID: 2e8948a5-5239-406b-b56b-6c59f1268af3

Narrative

It is important to monitor and control who has access to your AWS infrastructure. Detecting suspicious logins to your AWS infrastructure will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any EC2 instances created by the attacker.

Detections

Name Technique Type
Detect AWS Console Login by User from New City Unused/Unsupported Cloud Regions Hunting
Detect AWS Console Login by User from New Country Unused/Unsupported Cloud Regions Hunting
Detect AWS Console Login by User from New Region Unused/Unsupported Cloud Regions Hunting

Reference

source | version: 1