-
Notifications
You must be signed in to change notification settings - Fork 333
/
previously_seen_cloud_api_calls_per_user_role___initial.yml
43 lines (43 loc) · 1.53 KB
/
previously_seen_cloud_api_calls_per_user_role___initial.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
name: Previously Seen Cloud API Calls Per User Role - Initial
id: 69d75f4b-b794-4a66-a777-730357b886b4
version: 1
date: '2020-09-03'
author: David Dorsey, Splunk
type: Baseline
datamodel:
- Change
description: This search builds a table of the first and last times seen for every
user role and command combination. This is broadly defined as any event that runs
or creates something. This table is then cached.
search: '| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen
from datamodel=Change where All_Changes.user_type=AssumedRole AND All_Changes.status=success
by All_Changes.user, All_Changes.command | `drop_dm_object_name("All_Changes")`
| eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime
<= relative_time(now(), "-7d@d"), 1, 0) | table user, command, firstTimeSeen, lastTimeSeen,
enough_data | outputlookup previously_seen_cloud_api_calls_per_user_role'
how_to_implement: You must be ingesting Cloud infrastructure logs from your cloud
provider.
known_false_positives: none
references: []
tags:
analytic_story:
- Suspicious Cloud User Activities
detections:
- Cloud API Calls From Previously Unseen User Roles
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- All_Changes.user_type
- All_Changes.status
- All_Changes.user
- All_Changes.command
security_domain: network
deployment:
scheduling:
cron_schedule: 0 2 * * 0
earliest_time: -90d@d
latest_time: -1d@d
schedule_window: auto