/
abnormally_high_number_of_cloud_instances_destroyed.yml
63 lines (63 loc) · 2.53 KB
/
abnormally_high_number_of_cloud_instances_destroyed.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
name: Abnormally High Number Of Cloud Instances Destroyed
id: ef629fc9-1583-4590-b62a-f2247fbf7bbf
version: 1
date: '2020-08-21'
author: David Dorsey, Splunk
status: experimental
type: Anomaly
description: This search finds for the number successfully destroyed cloud instances
for every 4 hour block. This is split up between weekdays and the weekend. It then
applies the probability densitiy model previously created and alerts on any outliers.
data_source: []
search: '| tstats count as instances_destroyed values(All_Changes.object_id) as object_id
from datamodel=Change where All_Changes.action=deleted AND All_Changes.status=success
AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")`
| eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval
DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek
<= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_destroyed_v1]
| where cardinality >=16 | apply cloud_excessive_instances_destroyed_v1 threshold=0.005
| rename "IsOutlier(instances_destroyed)" as isOutlier | where isOutlier=1 | eval
expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) |
eval distance_from_threshold = instances_destroyed - expected_upper_threshold |
table _time, user, instances_destroyed, expected_upper_threshold, distance_from_threshold,
object_id | `abnormally_high_number_of_cloud_instances_destroyed_filter`'
how_to_implement: You must be ingesting your cloud infrastructure logs. You also must
run the baseline search `Baseline Of Cloud Instances Destroyed` to create the probability
density function.
known_false_positives: Many service accounts configured within a cloud infrastructure
are known to exhibit this behavior. Please adjust the threshold values and filter
out service accounts from the output. Always verify if this search alerted on a
human user.
references: []
tags:
analytic_story:
- Suspicious Cloud Instance Activities
asset_type: Cloud Instance
confidence: 50
impact: 50
message: tbd
mitre_attack_id:
- T1078.004
- T1078
observable:
- name: user
type: User
role:
- Victim
- name: dest
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- All_Changes.object_id
- All_Changes.action
- All_Changes.status
- All_Changes.object_category
- All_Changes.user
risk_score: 25
security_domain: cloud